Advertisement targeting through embedded scripts in supply-side and demand-side platforms

ABSTRACT

An apparatus and a system of improvement of advertisement targeting through embedded scripts in supply-side and demand-side platforms are disclosed. In one embodiment, a method of a client device includes applying an automatic content recognition algorithm to determine a content identifier of an audio-visual data. The client device then associates the content identifier with an advertisement data based on a semantic correlation between a meta-data of the advertisement provided by a content provider and/or the content identifier. The advertisement targeting may be improved when a script is embedded in the client device, a supply-side platform, and/or a data provider integrated with the supply side platform, to execute arbitrary cross-site scripts in the sandboxed application of the client device. The content identifier may be obfuscated in a manner that it is relevant to a particular demand-side platform to eliminate a need to query the provider of the content identifier on a per ad-spot basis. The demand-side platform may submit requests to the advertising exchange based on a constraint type rather than through a bidding methodology on a per advertisement spot basis.

CLAIM OF PRIORITY

This application is a Continuation application of and claims priorityto, and incorporates herein by reference the entire specification of theU.S. utility application Ser. No. 14/018,415 titled, “ADVERTISEMENTTARGETING THROUGH EMBEDDED SCRIPTS IN SUPPLY-SIDE AND DEMAND-SIDEPLATFORMS” filed on Sep. 4, 2013. The U.S. utility application Ser. No.14/018,415 further claims the priority to the applications:

-   -   1. This disclosure claims priority to, and incorporates herein        by reference the entire Specification of U.S. Provisional Patent        application No. 61/696,711 filed on Sep. 4, 2012 and titled        “SYSTEMS AND METHODS FOR RECOGNIZING CONTENT”.    -   2. This disclosure claims priority to, and incorporates herein        by reference the entire Specification of U.S. Continuation        application Ser. No. 13/470,814 titled “DISCOVERY, ACCESS        CONTROL, AND COMMUNICATION WITH NETWORKED SERVICES FROM WITHIN A        SECURITY SANDBOX” filed on May 14, 2012 and granted into U.S.        Pat. No. 8,539,072 on Sep. 17, 2013.        -   a. which itself is a Continuation patent application of Ser.            No. 12/592,377 titled “DISCOVERY, ACCESS CONTROL, AND            COMMUNICATION WITH NETWORKED SERVICES FROM WITHIN A SECURITY            SANDBOX”, filed on Nov. 23, 2009 and granted into U.S. Pat.            No. 8,180,891 on May 15, 2012.            -   i. which claims priority to U.S. Provisional patent                application 61/118,286 titled “DISCOVERY, ACCESS                CONTROL, AND COMMUNICATION WITH NETWORKED SERVICES FROM                WITHIN A SECURITY SANDBOX” filed on Nov. 26, 2008.    -   3. This disclosure claims priority to, and incorporates herein        by reference the entire specification of U.S. Utility patent        application Ser. No. 13/736,031 titled “ZERO CONFIGURATION        COMMUNICATION BETWEEN A BROWSER AND A NETWORKED MEDIA DEVICE”        filed on Jan. 7, 2013 and granted into U.S. Pat. No. 9,154,942        on Oct. 6, 2015.        -   a. which claims priority to U.S. Provisional patent            application 61/584,168 titled CAPTURING CONTENT FOR DISPLAY            ON A TELEVISION filed on Jan. 6, 2012.

FIELD OF TECHNOLOGY

This disclosure relates generally to the technical field of networking,and in one example embodiment, this disclosure relates to a method, anapparatus, and a system of improvement of advertisement targetingthrough embedded scripts in supply-side and demand-side platforms.

BACKGROUND

A supply-side platform may be a technology platform to enable publishersto manage their advertising impression inventory and/or maximize revenuefrom digital media. A demand-side platform may be a system that allowsbuyers of digital advertising to manage multiple advertising exchangeand/or data exchange accounts through an interface. An advertisingtargeting system may not be able to capture relevant information fromthe supply-side platform and/or a demand-side platform when makingadvertisement placement decisions. This may limit the targetability ofan advertisement to a user.

SUMMARY

An apparatus and a system of improvement of advertisement targetingthrough embedded scripts in supply-side and demand-side platforms aredisclosed. In one aspect, a method of a client device includes applyingan automatic content recognition algorithm to determine a contentidentifier of an audio-visual data. The client device then associatesthe content identifier with an advertisement data based on a semanticcorrelation between a meta-data of the advertisement provided by acontent provider and/or the content identifier. Advertisement targetingis improved when a script is embedded in the client device, asupply-side platform, and/or a data provider integrated with the supplyside platform. Arbitrary cross-site scripts is executed in the sandboxedapplication of the client device. The content identifier is obfuscatedin a manner that it is relevant to a particular demand-side platform toeliminate a need to query the provider of the content identifier on aper ad-spot basis. The demand-side platform submits requests to theadvertising exchange based on a constraint type rather than through abidding methodology on a per advertisement spot basis.

The advertisement data may be generated through an advertising exchangeserver based on the content identifier of the audio-visual data and/or apublic internet-protocol address associated with an applicationrequesting the advertisement data. A provider of the content identifiermay receive a compensation when the advertisement data is associatedwith the audio-visual data based on the public internet protocol addressassociated with the application requesting the advertisement data.

The provider of the content may append a set of content identifiers fromassociated clients and/or a viewing history from associated clients to aplurality of advertisements and/or resells the advertisement data backto the advertising exchange based on the appended content identifiers. Acapture infrastructure may annotate the audio-visual data with a brandname and/or a product name by comparing entries in the master databasewith a closed captioning data of the audio-visual data and/or through anapplication of an optical character recognition algorithm in theaudio-visual data. A sandboxed application of the client device mayrequest access to a microphone and/or a camera on the client device tocapture a raw audio/video data.

The capture infrastructure may process the raw audio/video data with thebrand name and/or the product name by comparing entries in the masterdatabase with the raw audio/video data and/or through the application ofa sensory recognition algorithm of the raw audio/video data. Thesandboxed application may query a MAC address of the sandbox reachableservice in a common private network. The sandbox reachable service mayoptionally verify that the sandboxed application is in the commonprivate network. The sandbox reachable service may communicate a MACaddress of the sandboxed application to the sandboxed application whenthe common private network is shared. The sandboxed application maystore the MAC address of the sandboxed application and/or a uniqueidentifier derived from the MAC address of the sandboxed application.

The sandboxed application may communicate the MAC address and/or theunique identifier to the pairing server. A script may be automaticallyregenerated that is embedded in the client device, a supply-sideplatform, and/or a data provider integrated with the supply sideplatform when the common private network is shared by the sandboxedapplication and/or sandboxed application based on the MAC address of thesandboxed application and/or the unique identifier communicated to thepairing server.

The content identifier may involve a music identification, an objectidentification, a facial identification, and/or a voice identification.A minimal functionality including accessing a tuner and/or a streamdecoder that identifies a channel and/or a content may be found in thenetworked media device. The networked media device may produce an audiofingerprint and/or a video fingerprint that is communicated with thecapture infrastructure.

The capture infrastructure may compare the audio fingerprint and/or thevideo fingerprint with a master database. The capture infrastructure mayfurther annotate the audio-visual data with a logo name by comparingentries in the master database with a logo data of the audio-visual dataidentified using a logo detection algorithm. The capture infrastructuremay automatically divide the audio-visual data into a series of scenesbased on a sematic grouping of actions in the audio-visual data. Theaudio-visual data may be analyzed in advance of a broadcast to determinecontent identifiers associated with each commercial in the audio-visualdata such that advertisements are pre-inserted into the audio-visualdata prior to broadcast.

The capture infrastructure may apply a time-order algorithm toautomatically match advertisements to the audio-visual data when acorrelation pattern is identified by the capture infrastructure withother audio-visual content previously analyzed. The captureinfrastructure may include a buffer that is saved to a persistentstorage and/or for which a label is generated to facilitateidentification of reoccurring sequences. A post processing operation maybe automated through a post-processing algorithm and/or a crowd-sourcedoperation using a plurality of users in which a turing test is appliedto determine a veracity of an input.

A device pairing algorithm may be used in which a cookie data associatedwith a web page visited by the user stored on a browser on the clientdevice is paired with the networked media device when the client deviceis communicatively coupled with the networked media device. A transitivepublic IP matching algorithm may be utilized in which the client deviceand/or the networked media device communicates each public IP addresswith any paired entity to the capture infrastructure. A tag that isunconstrained from a same-origin policy may be used to automaticallyload the advertisement in the browser, the tag is an image tag, a frame,a iframe, and/or a script tag.

An additional metadata including the content identifier and/or theadvertisement based on a video processing algorithm may be referenced.The additional meta data may be a title, a description, a thumbnail, aname of an individual, and/or a historical data. The additional metadatamay be determined from a browser history captured from the client devicebased on a capture policy, and/or correlating a relevance of the browserhistory with the content identifier and/or the advertisement.

In another embodiment, a method of a networked device includes applyingan automatic content recognition algorithm to determine a contentidentifier of an audio-visual data and associating the contentidentifier with an advertisement data based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand/or the content identifier. Advertisement targeting is improved whena script is embedded in the client device, a supply-side platform,and/or a data provider integrated with the supply side platform.Arbitrary cross-site scripts is executed in the sandboxed application ofthe client device. The content identifier is obfuscated in a manner thatit is relevant to a particular demand-side platform to eliminate a needto query the provider of the content identifier on a per ad-spot basis.The demand-side platform submits requests to the advertising exchangebased on a constraint type rather than through a bidding methodology ona per advertisement spot basis.

In yet another embodiment, a system includes a networked device and/or aclient device to apply an automatic content recognition algorithm todetermine a content identifier of an audio-visual data and/or toassociate the content identifier with an advertisement data based on asemantic correlation between a meta-data of the advertisement providedby a content provider and/or the content identifier. In addition, thesystem includes a capture infrastructure to annotate the audio-visualdata with a brand name and/or a product name by comparing entries in themaster database with a closed captioning data of the audio-visual dataand/or through an application of an optical character recognitionalgorithm in the audio-visual data.

Furthermore, the system includes an advertising exchange server togenerate an advertisement based on the content identifier of theaudio-visual data and/or a public internet-protocol address associatedwith an application requesting the advertisement data. In thisembodiment, advertising targeting is improved when a script is embeddedin the client device, a supply-side platform, and/or a data providerintegrated with the supply side platform. Arbitrary cross-site scriptsis executed in the sandboxed application of the client device. Thecontent identifier is obfuscated in a manner that it is relevant to aparticular demand-side platform to eliminate a need to query theprovider of the content identifier on a per ad-spot basis. Thedemand-side platform submits requests to the advertising exchange basedon a constraint type rather than through a bidding methodology on a peradvertisement spot basis.

The methods, system, and/or apparatuses disclosed herein may beimplemented in any means for achieving various aspects, and may beexecuted in a form of machine readable medium embodying a set ofinstruction that, when executed by a machine, causes the machine toperform any of the operations disclosed herein. Other features will beapparent from the accompanying drawing and from the detailed descriptionthat follows.

BRIEF DESCRIPTION OF DRAWINGS

Example embodiments are illustrated by way of example and not limitationin the figures of the accompanying drawing, in which like referencesindicate similar elements and in which:

FIG. 1 is a block diagram of a system of automatic bidirectionalcommunication between multiple devices sharing a common network,according to one embodiment.

FIG. 2 is a block diagram of a system of automatic bidirectionalcommunication between a client device 100 and a networked device 102using a server, according to one embodiment.

FIG. 3 is an exploded view of the security sandbox 104, according to oneembodiment.

FIG. 4 is an exploded view of the pairing server 200, according to oneembodiment.

FIG. 5 is an exploded view of the client device 100, according to oneembodiment.

FIG. 6 is a table of example network information stored in a database422 of a pairing server 200, according to one embodiment.

FIG. 7 is a block diagram of a method by which a security sandbox 104can communicate with a sandbox reachable service 114 that previouslyoperated on a shared network 202, according to one embodiment.

FIG. 8 is a schematic diagram of a private network 800 and a privatenetwork 802 communicating over the public Internet via a NAT device 804and a NAT device 806, according to one embodiment.

Other features of the present embodiments will be apparent from theaccompanying drawings and from the detailed description that follows.

DETAILED DESCRIPTION

An apparatus and a system of improvement of advertisement targetingthrough embedded scripts in supply-side and demand-side platforms aredisclosed.

In one embodiment, a method of a client device 100 includes applying anautomatic content recognition algorithm (e.g., from the algorithmlibrary 107) to determine a content identifier 111 of an audio-visualdata. The client device 100 then associates the content identifier 111with an advertisement data 113 based on a semantic correlation between ameta-data of the advertisement provided by a content provider and/or thecontent identifier 111. Advertisement targeting (e.g., how relevant anadvertisement is to a user) is improved when a script (e.g., aJavascript code, a cookie) is embedded in the client device 100, asupply-side platform (e.g., a technology platform with the singlemission of enabling publishers to manage their ad impression inventoryand maximize revenue from digital media), and/or a data providerintegrated with the supply side platform.

Arbitrary cross-site scripts are executed in the sandboxed application112 of the client device 100. The content identifier 111 are obfuscatedin a manner that it is relevant to a particular demand-side platform(e.g., a system that allows buyers of digital advertising to managemultiple ad exchange and data exchange accounts through one interface)to eliminate a need to query the provider of the content identifier 111on a per ad-spot basis. The demand-side platform submits requests to theadvertising exchange server 115 based on a constraint type rather thanthrough a bidding methodology on a per advertisement spot basis.

The advertisement data 113 may be generated through an advertisingexchange server 115 based on the content identifier 111 of theaudio-visual data and/or a public internet-protocol address associatedwith an application requesting the advertisement data 113. A provider ofthe content identifier 111 may receive a compensation when theadvertisement data 113 is associated with the audio-visual data based onthe public internet protocol address associated with the applicationrequesting the advertisement data 113.

The provider of the content may append a set of content identifiers(e.g., the content identifier 111) from associated clients and/or aviewing history from associated clients to a plurality of advertisementsand/or resells the advertisement data 113 back to the advertisingexchange server 115 based on the appended content identifiers (e.g.,content identifier 111). A capture infrastructure 105 may annotate theaudio-visual data with a brand name and/or a product name by comparingentries in the master database 109 with a closed captioning data of theaudio-visual data and/or through an application of an optical characterrecognition algorithm (e.g., from the algorithm library 107) in theaudio-visual data. A sandboxed application 112 of the client device 100may request access to a microphone and/or a camera on the client device100 to capture a raw audio/video data.

The capture infrastructure 105 may process the raw audio/video data withthe brand name and/or the product name by comparing entries in themaster database 109 with the raw audio/video data and/or through theapplication of a sensory recognition algorithm (e.g., from the algorithmlibrary 107) of the raw audio/video data.

The sandboxed application 112 may query a MAC address of the sandboxreachable service 114 in a common private network. The sandbox reachableservice 114 may optionally verify that the sandboxed application 112 isin the common private network. The sandbox reachable service 114 maycommunicate a MAC address of the sandboxed application 112 to thesandboxed application 112 when the common private network is shared. Thesandboxed application 112 may store the MAC address of the sandboxedapplication 112 and/or a unique identifier derived from the MAC addressof the sandboxed application 112.

The sandboxed application 112 may communicate the MAC address and/or theunique identifier to the pairing server. A script may be automaticallyregenerated that is embedded in the client device 100, a supply-sideplatform, and/or a data provider integrated with the supply sideplatform when the common private network is shared by the sandboxedapplication 112 and/or sandboxed application 112 based on the MACaddress of the sandboxed application 112 and/or the unique identifiercommunicated to the pairing server.

In another embodiment, a method of a networked device includes applyingan automatic content recognition algorithm (e.g., from the algorithmlibrary 107) to determine a content identifier 111 of an audio-visualdata and associating the content identifier 111 with an advertisementdata 113 based on a semantic correlation between a meta-data of theadvertisement provided by a content provider and/or the contentidentifier 111.

In this another embodiment, advertising targeting (e.g., how relevant anadvertisement is to a user) is improved when a script (e.g., aJavascript code, a cookie) is embedded in the client device 100, asupply-side platform (e.g., a technology platform with the singlemission of enabling publishers to manage their ad impression inventoryand maximize revenue from digital media), and/or a data providerintegrated with the supply side platform. Arbitrary cross-site scriptsare executed in the sandboxed application 112 of the client device 100.The content identifier 111 are obfuscated in a manner that it isrelevant to a particular demand-side platform (e.g., a system thatallows buyers of digital advertising to manage multiple ad exchange anddata exchange accounts through one interface) to eliminate a need toquery the provider of the content identifier 111 on a per ad-spot basis.The demand-side platform submits requests to the advertising exchangeserver 115 based on a constraint type rather than through a biddingmethodology on a per advertisement spot basis.

In yet another embodiment, a system includes a networked device and/or aclient device 100 to apply an automatic content recognition algorithm(e.g., from the algorithm library 107) to determine a content identifier111 of an audio-visual data and/or to associate the content identifier111 with an advertisement data 113 based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand/or the content identifier 111. In addition, the system includes acapture infrastructure 105 to annotate the audio-visual data with abrand name and/or a product name by comparing entries in the masterdatabase 109 with a closed captioning data of the audio-visual dataand/or through an application of an optical character recognitionalgorithm (e.g., from the algorithm library 107) in the audio-visualdata.

In one embodiment, a method of a client device 100 includes applying anautomatic content recognition algorithm (e.g., in the algorithm library107) to determine a content identifier 111 of an audio-visual data(e.g., a movie, a television show, an advertisement, etc.). The clientdevice 100 then associates the content identifier 111 with anadvertisement data 113 based on a semantic correlation between ameta-data of the advertisement (a particular advertisement of theadvertisement data 113) provided by a content provider (e.g., anorganization providing advertisements) and/or the content identifier111. A capture infrastructure 105 annotates the audio-visual data with abrand name and/or a product name by comparing entries in the masterdatabase 109 with a closed captioning data of the audio-visual dataand/or through an application of an optical character recognitionalgorithm (e.g., in the algorithm library 107) in the audio-visual data.The content identifier 111 may involve a music identification, an objectidentification, a facial identification, and/or a voice identification.A minimal functionality including accessing a tuner and/or a streamdecoder that identifies a channel and/or a content may be found in thenetworked media device (e.g., the networked device 102). The networkedmedia device (e.g., the networked device 102) may produce an audiofingerprint and/or a video fingerprint that is communicated with thecapture infrastructure 105.

The capture infrastructure 105 may compare the audio fingerprint and/orthe video fingerprint with a master database 109. The captureinfrastructure 105 may further annotate the audio-visual data with alogo name by comparing entries in the master database 109 with a logodata of the audio-visual data identified using a logo detectionalgorithm (e.g., in the algorithm library 107). The captureinfrastructure 105 may automatically divide the audio-visual data into aseries of scenes based on a sematic grouping of actions in theaudio-visual data. The audio-visual data may be analyzed in advance of abroadcast to determine content identifiers (e.g., the content identifier111) associated with each commercial in the audio-visual data such thatadvertisements are pre-inserted into the audio-visual data prior tobroadcast.

The capture infrastructure 105 may apply a time-order algorithm (e.g.,in the algorithm library 107) to automatically match advertisements tothe audio-visual data when a correlation pattern is identified by thecapture infrastructure 105 with other audio-visual content previouslyanalyzed. The capture infrastructure 105 may include a buffer that issaved to a persistent storage and/or for which a label is generated tofacilitate identification of reoccurring sequences. A post processingoperation may be automated through a post-processing algorithm (e.g., inthe algorithm library 107) and/or a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input.

A device pairing algorithm (e.g., in the algorithm library 107) may beused in which a cookie data associated with a web page visited by theuser stored on a browser on the client device 100 is paired with thenetworked media device (e.g., the networked device 102) when the clientdevice 100 is communicatively coupled with the networked media device(e.g., the networked device 102). A transitive public IP matchingalgorithm (e.g., in the algorithm library 107) may be utilized in whichthe client device 100 and/or the networked media device (e.g., thenetworked device 102) communicates each public IP address with anypaired entity to the capture infrastructure 105. A tag that isunconstrained from a same-origin policy may be used to automaticallyload the advertisement in the browser, the tag is an image tag, a frame,a iframe, and/or a script tag.

An additional metadata including the content identifier 111 and/or theadvertisement based on a video processing algorithm (e.g., in thealgorithm library 107) may be referenced. The additional meta data maybe a title, a description, a thumbnail, a name of an individual, and/ora historical data. The additional metadata may be determined from abrowser history captured from the client device 100 based on a capturepolicy, and/or correlating a relevance of the browser history with thecontent identifier 111 and/or the advertisement.

In another embodiment, a method of a networked device includes applyingan automatic content recognition algorithm (e.g., in the algorithmlibrary 107) to determine a content identifier 111 of an audio-visualdata, and associating the content identifier 111 with an advertisementdata 113 based on a semantic correlation between a meta-data of theadvertisement provided by a content provider and/or the contentidentifier 111. In this other aspect, a capture infrastructure 105annotates the audio-visual data with a brand name and/or a product nameby comparing entries in the master database 109 with a closed captioningdata of the audio-visual data and/or through an application of anoptical character recognition algorithm (e.g., in the algorithm library107) in the audio-visual data.

In yet another embodiment, a system includes a networked device and/or aclient device 100 to apply an automatic content recognition algorithm(e.g., in the algorithm library 107) to determine a content identifier111 of an audio-visual data and/or to associate the content identifier111 with an advertisement data 113 based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand/or the content identifier 111. The system also includes a captureinfrastructure 105 to annotate the audio-visual data with a brand nameand/or a product name by comparing entries in the master database 109with a closed captioning data of the audio-visual data and/or through anapplication of an optical character recognition algorithm (e.g., in thealgorithm library 107) in the audio-visual data.

FIG. 1 is a block diagram of a system of automatic bidirectionalcommunication (e.g., sending and receiving information in bothdirections without prior configuration by a human) between multipledevices sharing a common network, according to one embodiment. FIG. 1shows a client device 100, a networked device 102, a security sandbox104, an executable environment 106, a processor 108, a storage 109, amemory 110, a sandboxed application 112, and a sandbox reachable service114. The client device 100 communicates bidirectionally with thenetworked device 102 of FIG. 1.

According to one embodiment, a client device 100 may be a computer, asmartphone, and/or any other hardware with a program that initiatescontact with a server to make use of a resource. A client device 100 mayconstrain an executable environment 106 in a security sandbox 104,execute a sandboxed application 112 in a security sandbox 104 using aprocessor 108 and a memory 110, and automatically instantiate (e.g.,manifest) a connection (e.g., a complete path between two terminals overwhich two-way communications may be provided) between a sandboxedapplication 112 and a sandbox reachable service 114 of the networkeddevice 102.

According to one embodiment, a networked device 102 may be a television,stereo, game console, another computer, and/or any other hardwareconnected by communications channels that allow sharing of resources andinformation. A networked device 102 may comprise a number of sandboxreachable applications. A networked device 102 may announce a sandboxreachable service 114 using a processor 108 and a memory 110. Accordingto one embodiment, a processor 108 may be a central processing unit(CPU), a microprocessor, and/or any other hardware within a computersystem which carries out the instructions of a program by performing thebasic arithmetical, logical, and input/output operations of the system.According to one embodiment, a memory 110 may be a random access memory(RAM), a read only memory (ROM), a flash memory, and/or any otherphysical devices used to store programs or data for use in a digitalelectronic device.

The security sandbox 104, the processor 108, the storage 109, and thememory 110 each exist within the client device 100 of FIG. 1, and theycommunicate bidirectionally with each other. According to oneembodiment, a security sandbox 104 may be an operating system on whichthe sandboxed application 112 is hosted, a browser application of theoperating system, and/or any other mechanism for separating runningprograms to execute untested code and/or untrusted programs fromunverified third-parties, suppliers, untrusted users, and untrustedwebsites. According to one embodiment, a storage 109 may be a technologyconsisting of computer components and recording media used to retaindigital data.

The executable environment 106 exists within the security sandbox 104 ofFIG. 1. According to one embodiment, an executable environment 106 maybe a virtual machine, a jail, a scripting language interpreter, ascratch space on disk and memory, and/or any other tightly controlledset of resources in which to run guest programs.

The sandboxed application 112 exists within the executable environment106 of FIG. 1. According to one embodiment, a sandboxed application 112may be an untested code, an untrusted program (e.g., from an untrustedweb page), and/or any other software that can be executed with theappropriate runtime environment of the security sandbox 104.

The sandbox reachable service 114 exists within the networked device 102of FIG. 1. According to one embodiment, a sandbox reachable service 114may be a smart television application, a set-top box application, anaudio device application, a game console application, a computerapplication, and/or any other service that can be discovered andcommunicated with from within the sandboxed application 112. FIG. 1 mayencompass constraining a sandbox reachable service 114 in a securitysandbox 104 where it is described sandbox reachable service 114,according to one embodiment. A security sandbox 104 may not allow asandbox reachable service 114 that is constrained in the securitysandbox 104 to open a server socket and receive inbound connections.However, a sandbox reachable service 114 that is constrained in thesecurity sandbox 104 may still announce and be discovered, but allcommunications between a client device 100 and a networked device 102may need to traverse through a relay in a pairing server 200.

FIG. 2 is a block diagram of a system of automatic bidirectionalcommunication between a client device 100 and a networked device 102using a server, according to one embodiment. FIG. 2 shows a clientdevice 100, a networked device 102, a security sandbox 104, anexecutable environment 106, a processor 108, a memory 110, a sandboxedapplication 112, a pairing server 200, a shared network 202, a Wide AreaNetwork (WAN) 204, a devices 206, a global unique identifier (GUID) 208,an alphanumeric name 210, a private address pair 212, a sandboxreachable service 114, an identification data 216, a switch 218, apublic address pair 220, and a hardware address 222.

The client device 100, the networked device 102, and the devices 206communicate bidirectionally with each other through the switch 218 inthe shared network 202. According to one embodiment, a devices 206 maybe a television, a projection screen, a multimedia display, atouchscreen display, an audio device, a weather measurement device, atraffic monitoring device, a status update device, a global positioningdevice, a geospatial estimation device, a tracking device, abidirectional communication device, a unicast device, a broadcastdevice, a multidimensional visual presentation device, and/or any otherdevices with a network interface. According to one embodiment, a switch218 may be a telecommunication device (e.g., a broadcast, multicast,and/or anycast forwarding hardware) that receives a message from anydevice connected to it and then transmits the message only to the devicefor which the message was meant.

According to one embodiment, a shared network 202 may be a local areanetwork, a multicast network, an anycast network, a multilan network, aprivate network (e.g., any network with a private IP space), and/or anyother collection of hardware interconnected by communication channelsthat allow sharing of resources and information. When a sandboxedapplication 112 and a sandbox reachable service 114 communicate in ashared network 202 common to the client device 100 and a networkeddevice 102 when a connection is established, a client device 100 mayeliminate a communication through a centralized infrastructure (e.g., apairing server 200 which may be used only for discovery), minimizelatency in the communication session (e.g., by establishing a connectionbetween a client device 100 and a networked device 102 rather than byrelaying via a pairing server 200), and improve privacy in thecommunication session.

FIG. 2 may encompass establishing a shared network 202 based on abidirectional communication that does not use a relay service where itis described a shared network 202, according to one embodiment. Multiplelocal area networks (LANs) may share a public IP address. A clientdevice 100 may reside on one LAN, and a sandbox reachable service 114may reside on another LAN. A client device 100 may discover a sandboxreachable service by matching public Internet Protocol (IP) addresses.However, a sandbox reachable service 114 that is not constrained to asecurity sandbox 104 may have an unconstrained view (e.g., it may haveaccess to Media Access Control addresses, Address Resolution Protocol,and/or routing tables) of a shared network 202.

A client device 100 may attempt to communicate with a sandbox reachableservice 114 (e.g., by opening a Transmission Control Protocol connectionand/or by sending a User Datagram Protocol datagram) without using arelay service. A shared network 202 may be established if a connectionsuccessfully handshakes, a datagram arrives, and/or the client device100 and the sandbox reachable service 114 otherwise communicatebidirectionally without using a relay service.

FIG. 2 may also encompass establishing a shared network 202 based on adetermination that a client device 100 and a sandbox reachable service114 reside on a same LAN where it is described a shared network 202,according to one embodiment. For example, a networked device 102 maybroadcast ping (e.g., using Internet Control Message Protocol) andlisten for a response from a client device 100.

FIG. 2 may further encompass establishing a shared network 202 by usingan address resolution protocol (e.g., ARP) where it is described ashared network 202, according to one embodiment. A sandbox reachableservice 114 may determine that a client device 100 resides on a same LANif the IP address of the client device 100 can be resolved to a LANaddress using an IP-to-LAN address resolution protocol (e.g., ARP).

The shared network 202 communicates with the pairing server 200 throughthe WAN 204. According to one embodiment, a pairing server 200 may be acomputer hardware system dedicated to enabling communication between asandboxed application 112 and a sandbox reachable service 114. Accordingto one embodiment, a WAN 204 may be the Internet and/or any othertelecommunications network that links across metropolitan, regional,and/or national boundaries using private and/or public transports. Anetworked device 102 may announce an availability of a sandbox reachableservice 114 across a range of public addresses such that a sandboxedapplication 112 communicates with the sandbox reachable service 114 inany one of the range of the public addresses. However, a range of publicaddresses may be known by a pairing server 200 so that the announcementof the availability of a sandbox reachable service 114 across a range ofpublic addresses is unnecessary.

The identification data 216 exists within the sandbox reachable service114 of FIG. 2. According to one embodiment, an identification data 216may be a reference information associated with an application sharing apublic address with a client device 100, a networked device 102, and/ora devices 206 (e.g., to define a network in which the client device 100,the networked device 102, and/or the devices 206 reside). A clientdevice 100 may access a pairing server 200 when processing anidentification data 216 associated with a sandbox reachable service 114sharing a public address with the client device 100. A pairing server200 may perform a discovery lookup of any device that has announced thatit shares a public address associated with the client device 100.Further, a sandbox reachable service 114 may announce itself to apairing server 200 prior to the establishment of a communication sessionbetween a sandboxed application 112 and the sandbox reachable service114.

The GUID 208, the alphanumeric name 210, the private address pair 212,the public address pair 220, and the hardware address 222 each existwithin the identification data 216 of FIG. 2. According to oneembodiment, a GUID 208 may be a 128-bit reference number used bysoftware programs to uniquely identify the location of a data object.For example, FIG. 2 may be applicable to a GUID 208 of a sandboxreachable service 114 and/or a networked device 102 where it isdescribed a global unique ID 208. It may be preferable to have aone-to-one mapping between a GUID 208 and a networked device 102.However, in the case when a sandbox reachable service 114 may beconstrained to a security sandbox 104, the sandbox reachable service 114may have no way of determining its own IP address and/or whether itresides on a same device with other services. In this case, everysandbox reachable service 114 on the same device may have its own GUID208.

According to one embodiment, an alphanumeric name 210 may be a “Vizio®3641 TV,” a “living room TV,” a “bedroom printer,” and/or any otherhuman-friendly reference name of a networked device 102. According toone embodiment, a private address pair 212 may be a private InternetProtocol (IP) address and a port number associated with an applicationthat sends and/or receives packets. According to one embodiment, apublic address pair 220 may be a public IP address and a port number 604associated with an application that sends and/or receives packets.According to one embodiment, a hardware address 222 may be a MediaAccess Control (MAC) address, a physical address, Ethernet hardwareaddress (EHA), and/or any other unique identifier assigned to networkinterfaces for communications on the physical network segment.

A client device 100 may process an identification data 216 associatedwith a sandbox reachable service 114 sharing a public address with theclient device 100 and determine a private address pair 212 of thesandbox reachable service 114 based on the identification data 216. Anetworked device 102 may also communicate a global unique identifier 208and/or an alphanumeric name 210 to a pairing server 200 along with ahardware address 222 associated with the networked device 102, a publicaddress pair 220 associated with a sandbox reachable service 114 of thenetworked device 102, and/or a private address pair 212 associated withthe sandbox reachable service 114 of the networked device 102.

FIG. 3 is an exploded view of the security sandbox 104, according to oneembodiment. FIG. 3 shows a security sandbox 104, a sandboxed application112, a same origin policy exception 300, a web page 302, a script 304, abinary executable 306, an intermediate bytecode 308, an abstract syntaxtree 310, an executable application 312, a HyperText Markup Language 5(HTML5) application 314, a Javascript® application 316, an Adobe® Flash®application 318, an Asynchronous Javascript® and XML (AJAX) application320, a JQuery® application 324, a Microsoft® Silverlight® application326, a hyperlink 328, a frame 330, a script 332, an image 334, a header336, and a form 338.

The sandboxed application 112 exists within the security sandbox 104 ofFIG. 3. The web page 302, the script 304, the binary executable 306, theintermediate bytecode 308, the abstract syntax tree 310, and theexecutable application 312 are listed as general examples of thesandboxed application 112 of FIG. 3. According to one embodiment, a webpage 302 may be a document and/or an information resource that issuitable for the World Wide Web and can be accessed through a webbrowser and displayed on a monitor and/or a mobile device. According toone embodiment, a script 304 may be a program written for a softwareenvironment that automates the execution of tasks which couldalternatively be executed one-by-one by a human operator.

According to one embodiment, a binary executable 306 may be a binaryfile that may include a program in machine language which is ready to berun. According to one embodiment, an intermediate bytecode 308 may be aprogramming language implementation of instruction set designed forefficient execution by a software interpreter. According to oneembodiment, an abstract syntax tree 310 may be a tree representation ofthe abstract syntactic structure of source code written in a programminglanguage. According to one embodiment, an executable application 312 maybe a file that causes a computer to perform indicated tasks according toencoded instructions.

The HTML5 application 314, the Javascript® application 316, the Adobe®Flash® application 318, the Microsoft® Silverlight® application 326, theJQuery® application 324, and the AJAX application 320 are listed asspecific examples of the general examples of FIG. 3. According to oneembodiment, a HTML5 application 314 may be a program written in thefifth revision of the hypertext markup language standard for structuringand presenting content for the World Wide Web. According to oneembodiment, a Javascript® application 316 may be a program written in ascripting language commonly implemented as part of a web browser inorder to create enhanced user interfaces and dynamic websites. Accordingto one embodiment, an Adobe® Flash® application 318 may be a programwritten for a multimedia and software platform used for authoring ofvector graphics, animation, games and Rich Internet Applications (RIAs)which can be viewed, played, and executed in Adobe® Flash® Player.

According to one embodiment, an AJAX application 320 may be a programusing a XMLHttpRequest method, a program using a Msxml2.XMLHTTP method,a program using a Microsoft.XMLHTTP method, and/or any other web programthat can send data to and retrieve data from a server in the backgroundwithout interfering with the display and behavior of the existing page.According to one embodiment, a JQuery® application 324 may be a programwritten using a multi-browser collection of pre-written Javascript®designed to simply the client-side scripting of HTML. According to oneembodiment, a Microsoft® Silverlight® application 326 may be a programwritten in a framework for writing and running RIAs with features andpurposes similar to those of Adobe® Flash®.

The same origin policy exception 300 extends horizontally below thesecurity sandbox 104 of FIG. 3. According to one embodiment, a sameorigin policy exception 300 may be a cross-domain scripting technique, across-site scripting technique, a document.domain property, aCross-Origin Resource Sharing (CORS), a cross-document messaging, atechnique for relaxing a policy preventing access to methods andproperties across pages on different sites, and/or an access controlalgorithm governing a policy through which a secondary authentication isrequired when establishing a communication between the sandboxedapplication 112 and the networked device 102.

A client device 100 may establish a communication session between asandboxed application 112 and a sandbox reachable service 114 using across-site scripting technique of a security sandbox 104. A clientdevice 100 may also append a header 336 of a hypertext transfer protocolto permit a networked device 102 to communicate with a sandboxedapplication 112 as a permitted origin domain through a Cross-originresource sharing (CORS) algorithm. Further, a client device 100 mayutilize a same origin policy exception 300 through a use of a hyperlink328, a form 338, a script 332, a frame 330, a header 336, and/or animage 334 when establishing the connection between a sandboxedapplication 112 and a sandbox reachable service 114.

For example, FIG. 3 may encompass a HTML5 cross-domain scripting usingpostMessage where it is described HTML5 application 314. WithpostMessage, a calling window may call any other window in a hierarchyincluding those in other domains. A receiving window may set up amessage listener to receive said message and can return results byposting a result message back to a calling frame. Assuming a web pageresiding at http://example.com/index.html:

<iframe src=”http://bar.com” id=”iframe”></iframe> <form id=”form”> <input type=”text″ id=″msg″ value=″Message to send″/>  <inputtype=″submit″/> </form> <script> window.onload = function( ){ var win =document.getElementById(″iframe″).contentWindow;document.getElementById(″form″).onsubmit = function(e){ win.postMessage(document.getElementById(″msg″).value ); e.preventDefault( ); }; };</script>

An iframe may load the following HTML from bar.com:

<b>This iframe is located on bar.com</b> <div id=“test”>Send me amessage!</div> <script> document.addEventListener(“message”,function(e){ document.getElementById(“test”).textContent = e.domain + “said: ” + e.data; }, false); </script>

When a user 820 (e.g., a human agent who uses a service) clicks on thesubmit button, a message may be posted to the frame read from bar.comwhich changes “Send me a message!” to http://bar.com said: Message tosend.

The hyperlink 328, the frame 330, the script 332, the image 334, theheader 336, and the form 338 comprise aspects of the same origin policyexception 300 of FIG. 3. According to one embodiment, a hyperlink 328may be a reference to data that a reader can directly follow and/or thatis followed automatically. FIG. 3 may also be applicable to a hyperlinksend message interface (e.g., a mechanism by which a sandboxedapplication 112 sends a message to a pairing server 200) where it isdescribed a hyperlink 328 using an <A> tag to send a message to apairing server 200 comprised of a discovery service and a relay service.The <A> tag may link to pages that are not in a same domain as a webpage being viewed in a browser. As such a link may point to the pairingserver 200 and arguments to be passed in a message may be encoded askey-value pairs in a uniform resource identifier (URI) query string. Forexample,

-   -   <A HREF=http://pairing_server.com/f?a=10&b=bar>call f</A>

A sandboxed application 112 may announce to the pairing server 200. At alater time, a user 820 may visit example.com and view index.html. Whenthe user 820 clicks on a “call f” hyperlink, a HTTP request may be sentto the pairing server 200. “f” may refer to a path to some arbitraryfunction and key-value pairs a=10 and/or b=bar may be arguments to thatfunction. The pairing server 200 may receive an HTTP GET like thisrequest generated using Google Chrome™:

GET /f?a=10&b=bar HTTP/1.1 Host: pairing_server.com Connection:keep-alive Referer: http://example.dom/index.html Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63Safari/534.3 Accept-Encoding: gzip,deflate,sdch Accept-Language:en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

The URI may not indicate to which service a message is intended. Thismay be interpreted by the pairing server 200 as a private broadcastmeaning that a message passed via a message query interface (e.g., amechanism to communicate a message from a pairing server 200 to asandbox reachable service 114) is passed to all sandbox reachableservices in a shared network 202. In this case, a response HTML maysimply be a new web page that may include a confirmation dialog and/or anotification that a message has been sent.

According to one embodiment, a frame 330 may be a frameset, an inlineframe, and/or any display of web pages and/or media elements within thesame browser window. According to one embodiment, a script 332 may be aHTML tag used to define a program that may accompany an HTML documentand/or be directly embedded in it. FIG. 3 may encompass a SCRIPT tagwhere it is described a script 332 used to contact the pairing server200. For example, a server may deliver an http://example.com/index.htmlthat may include a cross-site <script> tag as follows:

<html>...<head> <script type=″text/Javascript″> function lookup_cb(d) {var services = d[″services″]; var slen = services.length; var s, len; s=″<ul>″; for ( var i = 0; i < slen; ++i ) s = s + ″<li>″ +services[i].name + ″</li>″; s = s + ″</ul>″;document.getElementById(″services″).innerHTML=s; }</script></head><body> ... <div id=”services”></div> ... <scriptid=″external_script″ type=″text/Javascript″></script> <script>document.getElementById(″external_script″).src =″http://pairing_server.com/fling/lookup?callback=lookup_cb″;</script></body></html>

In the example above, Javascript® may replace a source of a <script>with id “external_script” with a script downloaded from the pairingserver 200. A call being made to a sandbox reachable service 114 may beembedded in a call to “lookup” with a single argument“callback=lookup_cb.” The pairing server 200 may return a script thatmay include a result, e.g.,

lookup_cb({ “services”: [...], “yourip”: “69.106.59.218”, “version”:“1.0”, “interval”: 900 })

The result above may include a list of “services” discovered in a user's(e.g., the user of the client device 100) shared network 202. The resultmay be encapsulated inside a call to lookup_cb which was a callbackpassed in a SRC URI to an external_script <script> tag. A returnedscript may be automatically executed, causing lookup_cb to be called.lookup_cb may iterate over services in a result and may output them intothe HTML of the web page http://example.com/index.html.

According to one embodiment, an image 334 may be a HTML tag thatincorporates inline graphics into an HTML document. FIG. 3 may alsoencompass an <A> tag encapsulating an <IMG> tag where it is described animage 334, thereby allowing a link to take on the appearance of abutton, according to one embodiment. With Javascript® a behavior of theimage may be scripted to make the button change appearance when a mousepasses over the button or when a user clicks on the button, therebymaking the image behave more like a button. For example,

<HTML> <HEAD> ... <script type=″text/Javascript″> function loaded( ) {var im = document.getElementById(″image″) alert( ″image height=″ +im.height + ″ width=″ + im.width ); } </script> </HEAD><BODY>... <IMGID=″image″ SRC=”http://pairing_server.com/f?a=10&b=bar” onload=″loaded();″></IMG> </BODY> </HTML>

FIG. 3 may also be applicable to an IMG tag where it is described animage 334 used to communicate a call, according to one embodiment. Forexample,

-   -   <IMG SRC=“http://pairing_server.com/f?a=10&b=bar”>calling f . .        . </IMG>

This example may correspond to a call f with arguments a=10 and/orb=bar. The pairing server 200 sees

<form name=“input” action=“http://pairing_server.com/fling”method=“post”> <INPUT TYPE=“HIDDEN” id=“title” name=“title”value=“Waxing Love” /> <INPUT TYPE=“HIDDEN” id=“description”name=“description” value=“An example video.” /> <INPUT TYPE=“HIDDEN”id=“uri” name=“uri” value=“http://example.com/wax.mp4” /> <INPUTTYPE=“SUBMIT” NAME=“submit” VALUE=“fling” /> </form>

A browser may expect an image to be returned by this request. As aresult, an IMG send message interface may not threaten a calling webpage with script injection attacks. However, it may limit what can bereturned with an IMG tag. The pairing server 200 may return a validtransparent IMG with width and height set to communicate a pair. Sincean IMG body has been loaded into the calling web page, the height andwidth of the image are immediately available to the calling page usingJavascript®, e.g.,

<A HREF=″http://pairing_server.com/f?a=10&b=bar″><IMG SRC=”f.jpg”>callf</IMG></A>

According to one embodiment, a header 336 may be an origin header, areferrer header, and/or any other supplemental data placed at thebeginning of a block of data being stored and/or transmitted. FIG. 3 maybe applicable to a passing of a URI of a web page that may include ahyperlink along with a GET request in a “referer [sic]” URI header whereit is described a header 336 when a user 820 clicks on a hyperlinkrendered from an <A> tag. A pairing server 200 can interpret a refererURI as an URI of a web page to be relayed to a sandbox reachable service114 that can render web pages. For example, the following hyperlinkappears in the web page http://example.com/foo.html

-   -   <A HREF=http://pairing_server.com/fling> fling this web page        </A>

When a user 820 clicks on “fling this page,” the pairing server 200 mayread the referer URI (e.g., associated with a client device 100) todetermine that the page http://example.com/foo.html should be relayed tothe receiving sandbox-reachable services.

FIG. 3 may also encompass interpreting a referer URI dependent on pagecontent where it is described a header 336, according to one embodiment.For example, a web page 302 that may include a video may cause areference to the video to be passed to a networked device 102.Similarly, a web page 302 that may include an audio may cause areference to the audio to be passed to a networked device 102.

According to one embodiment, a form 338 may be a HTML tag that allows aweb user to enter data that is sent to a server for processing. Forexample, FIG. 3 may encompass a sandboxed application 112 sendingmessages to a sandbox reachable service 114 via HTML FORMs where it isdescribed a form 338. The action of a form may direct the messages viathe pairing server 200. Assume a web page may reside athttp://example.com/index.html and assume a relay infrastructure may runon a server with example domain “pairing server.com.” The video to berelayed may be titled “Waxing Love.”

GET /f?a=10&b=bar HTTP/1.1 Host:ec2-204-236-247-87.compute-1.amazonaws.com:7878 Connection: keep-aliveReferer: http://dave.flingo.org/browser_behavior_tests/img_link.htmlCache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Macintosh;U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko)Chrome/6.0.472.63 Safari/534.3 Accept-Encoding: gzip,deflateAccept-Language: en-US,en;q=0.8 Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3

A hidden type may populate an HTTP POST. In this example, an URI of aresource may be passed to a pairing server 200. The pairing server 200may treat the POST as a message to be forwarded to services. In thisexample, the server may see something like:

POST /fling HTTP/1.1

Host: pairing_server.com

Origin: http://example.com/index.html

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us)

AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16

Content-Type: application/x-www-form-urlencoded

Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;

q=0.8,image/png,*/*;q=0.5

Referer: http://example.com/index.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Content-Length: 95

Connection: keep-alive

title=Waxing+Love&description=An+example+video.&uri=http%3A%2F%2Fexample.com%2Fwax.mp4

&submit=fling

The intended message may be encoded in key-value pairs of a messagebody. In this case a title, description, and URI and an operation“fling.”

FIG. 4 is an exploded view of the pairing server 200, according to oneembodiment. FIG. 4 shows a pairing server 200, a discovery module 400, adiscovery algorithm 402, a relay module 404, a relay algorithm 406, aprotocols 408, and a database 422.

The discovery module 400 and the relay module 404 communicate with thedatabase 422, and they all exist within the pairing server 200 of FIG.4. According to one embodiment, a discovery module 400 may be aself-contained component of a pairing server 200 that detects devicesand services on a network. According to one embodiment, a relay module404 may be a self-contained component of a pairing server 200 thattransmits data to an intermediate node located between a source anddestination that are separated by a distance that prevents directcommunications. According to one embodiment, a database 422 may be astructured collection of information.

A networked device 102 may announce a sandbox reachable service 114 to adiscovery module 400. When a shared network 202 is determined to becommonly associated with a client device 100 and a networked device 102,a pairing server 200 may receive, store using a processor 108 and amemory 110, and communicate to a client device 100 a global uniqueidentifier 208 and/or an alphanumeric name 210 in an announcement from anetworked device 102 along with a hardware address 222 associated withthe networked device 102, a public address pair 220 associated with asandbox reachable service 114 of the networked device 102, and/or aprivate address pair 212 associated with the sandbox reachable service114 of the networked device 102. A shared network 202 is determined tobe commonly associated with a client device 100 and a networked device102 when it is presently shared and/or was previously shared by thenetworked device 102 and the client device 100.

The discovery algorithm 402 exists within the discovery module 400 ofFIG. 4. According to one embodiment, a discovery algorithm 402 may be aprocedure for detecting devices and services on a network. A serviceagent module of a networked device 102 may coordinate communicationswith a discovery module 400 of a security sandbox 104 and/or a pairingserver 200. For example, the service agent sits outside a browser orbrowser-like security sandbox thereby allowing it to listen on a socket.Thus, it can act as a means for services on the same device to discoverone another. The service agent may also announce on behalf of service(s)local to that device.

The relay algorithm 406 exists within the relay module 404 of FIG. 4.According to one embodiment, a relay algorithm 406 may be a procedurefor transmitting data to an intermediate node located between a sourceand destination that are separated by a distance that prevents directcommunications. A service agent module of a networked device 102 maycoordinate communications with a discovery module 400 of a securitysandbox 104 and/or a pairing server 200. For example, the service agentsits outside a browser or browser-like security sandbox thereby allowingit to listen on a socket. Thus, it can act as a relay for messagesarriving from a shared network 202.

When a client device 100 and a networked device 102 reside on networksthat are incommunicable with each other comprising a firewallseparation, a different network separation, a physical separation,and/or an unreachable connection separation, a sandboxed application 112of a security sandbox 104 of the client device 100 and a sandboxreachable service 114 of the networked device 102 may communicate witheach other through a relay service employed by a pairing server 200having a discovery module 400 and a relay module 404 to facilitate atrusted communication (e.g., by guarding a GUID 208, a private IPaddress 808, and/or a hardware address 222 of a networked device 102and/or a sandbox reachable service 114 from a sandboxed application 112)between the sandboxed application 112 and the sandbox reachable service114.

The discovery module 400 and the relay module 404 can also communicateusing the protocols 408 of FIG. 4. According to one embodiment, aprotocols 408 may be a system of digital message formats and rules forexchanging those messages in and/or between devices sharing a network.

FIG. 5 is an exploded view of the client device 100, according to oneembodiment. FIG. 5 shows a client device 100, a discovery module 500, arelay module 504, a discovery algorithm 502, a relay algorithm 506, anextension 518, a sandboxed application 112, a protocols 508, a Bonjour®protocol 510, a Simple Service Discovery Protocol (SSDP) protocol 512, alocal service discovery (LSD) uTorrent® protocol 514, a local areanetwork (LAN) based protocol 516, a multicast protocol 519, and ananycast protocol 520.

The extension 518 exists within the client device 100 of FIG. 5.According to one embodiment, an extension 518 may be a program addingthe capabilities of a discovery module 500 and/or a relay module 504 toa browser. A client device 100 may extend a security sandbox 104 with adiscovery algorithm 502 and a relay algorithm 506 through a discoverymodule 500 and a relay module 504 added to the security sandbox 104. Aclient device 100 may also bypass a pairing server 200 having adiscovery algorithm 402 and a relay algorithm 406 when establishing aconnection between a sandboxed application 112 and a sandbox reachableservice 114 when the security is extended with the discovery algorithm502 and the relay algorithm 506 through the discovery module 500 and therelay module 504 added to a security sandbox 104.

The discovery module 500, the relay module 504, and the sandboxedapplication 112 exist within the extension 518 of FIG. 5. The discoverymodule 500 communicates with the relay module 504 of FIG. 5. Accordingto one embodiment, a discovery module 500 may be a self-containedcomponent of a client device 100 that detects devices and services on anetwork. According to one embodiment, a relay module 504 may be aself-contained component of a client device 100 that transmits data toan intermediate node located between a source and destination that areseparated by a distance that prevents direct communications. A networkeddevice 102 may announce a sandbox reachable service 114 to a discoverymodule 500. A networked device 102 may also automatically instantiate acommunication between a sandbox reachable service 114 of the networkeddevice 102 and a client device 100 when a relay module 504 sends arequest from a sandboxed application 112 of the client device 100 to thesandbox reachable service 114.

The discovery algorithm 502 exists within the discovery module 500 ofFIG. 5. A client device 100 may apply a discovery algorithm 502 of asecurity sandbox 104 to determine that a networked device 102 having asandbox reachable service 114 communicates in a shared network 202common to the client device 100 and the networked device 102.

The relay algorithm 506 exists within the relay module 504 of FIG. 5. Aclient device 100 may apply a relay algorithm 506 of a security sandbox104 to establish a connection between a sandboxed application 112 and asandbox reachable service 114 of a networked device 102. A client device100 may utilize a WebSocket (e.g., a web technology providingfull-duplex communications channels over a single Transmission ControlProtocol connection) and/or a long polling service message queryinterface to reduce a latency of message delivery during a trustedcommunication between a sandboxed application 112 and a sandboxreachable service 114. A client device 100 may also optimize a pollingperiod between polling such that it is less than a timeout period of asession through the relay service. A client device 100 may initiate arelay service through a series of web pages where information iscommunicated using a hyperlink 328 that points at a pairing server 200,and/or a form 338 having a confirmation dialog that is submitted back tothe pairing server 200. A global unique identifier 208 (e.g., of asandbox reachable service 114) may be masked through a pairing server200 when a confirmation dialog is served from the pairing server 200.

The discovery algorithm 502 and the relay algorithm 506 can communicateusing the protocols 508 of FIG. 5. The Bonjour® protocol 510, the SSDPprotocol 512, the LSD uTorrent® protocol 514, the LAN-based protocol516, the multicast protocol 519, and the anycast protocol 520 existwithin the protocols 508 of FIG. 5. According to one embodiment, aBonjour® protocol 510 may be a system of technologies including servicediscovery, address assignment, and hostname resolution developed byApple®. According to one embodiment, a SSDP protocol 512 may be anetwork protocol based on the Internet Protocol Suite for advertisementand discovery of network services and presence information that isaccomplished without assistance of server-based configuration mechanismsand without special static configuration of a network host. According toone embodiment, a LSD uTorrent® protocol 514 may be an extension to theBitTorrent® file distribution system that is designed to support thediscovery of local BitTorrent® peers, aiming to minimize traffic throughan Internet service provider's (ISP) channel and minimize use ofhigher-bandwidth LAN while implemented in a client with a small memoryfootprint. According to one embodiment, a LAN-based protocol 516 may bea system of broadcast-based local area network discovery. According toone embodiment, a multicast protocol 519 may be a system of deliveringinformation simultaneously to a group of destination devices in a singletransmission from a source. According to one embodiment, an anycastprotocol 520 may be a system of routing datagrams from a single senderto the topologically nearest node in a group of potential receivers,though it may be sent to several nodes, all identified by the samedestination address.

A discovery algorithm 502 may utilize a protocols 508 comprising aBonjour® protocol 510, a SSDP protocol 512, a LSD uTorrent® protocol514, a multicast protocol 519, an anycast protocol 520, and/or anotherLAN-based protocol 516 that discovers services in a LAN based on abroadcast from any one of an operating system service, a securitysandbox 104, a client device 100, a sandbox reachable service 114, and anetworked device 102.

FIG. 6 is a table of example network information stored in a database422 of a pairing server 200, according to one embodiment. FIG. 6 shows aGUID 208, an alphanumeric name 210, a network 600, a service 601, aNetwork Address Translator (NAT) 602, a port number 604, an IP address606, and a table 650. The GUID 208, the alphanumeric name 210, thenetwork 600, the service 601, the NAT 602, the port number 604, and theIP address 606 are headings for each column of a table 650 of FIG. 6.

According to one embodiment, a network 600 may be a collection ofhardware interconnected by communication channels that allow sharing ofresources and information. According to one embodiment, a service 601may be a description and/or a name of a service provided by a device.According to one embodiment, a NAT 602 may be an indication of whetheror not a NAT device is present on a network 600. According to oneembodiment, a port number 604 may be a 16-bit reference number for aprocess-specific software construct serving as a communications endpointin a computer's host operating system. According to one embodiment, anIP address 606 may be a numerical label assigned to each deviceparticipating in a computer network that uses the Internet Protocol forcommunication. According to one embodiment, a table 650 may be a set ofdata elements that is organized using a model of vertical columns whichare identified by names and horizontal rows. A sandbox reachable service114 may communicate a GUID 208 and/or an alphanumeric name 210 to apairing server 200 along with an IP address 606 and/or a port number 604of the sandbox reachable service 114.

FIG. 7 is a block diagram of a method by which a security sandbox 104can communicate with a sandbox reachable service 114 that previouslyoperated on a shared network 202, according to one embodiment. FIG. 7shows a client device 100, a storage 109, a remote access token 702, aprivate IP address 704, and a hardware address 222. The storage 109exists within the client device 100 of FIG. 7. The remote access token702 exists within the storage 109 of FIG. 7. According to oneembodiment, a remote access token 702 may be an object encapsulating asecurity descriptor of a process so that a client device 100 and anetworked device 102 that previously established a communication sessionautomatically recognize each other. A cookie associated with a securitysandbox 104 may be used to store a remote access token 702 on a storage109 (e.g., Web storage, HTML5 storage) of a client device 100. A clientdevice 100 can communicate with a sandbox reachable service 114 thatpreviously operated on a common shared network 202 through a remoteaccess token 702.

The private IP address 704 and the hardware address 222 comprise aspectsof the remote access token 702 of FIG. 7. According to one embodiment, aprivate IP address 704 may be an IP address of a node on a privatenetwork that may not be used to route packets on the public Internet. Aremote access token 702 may identify a set of communicable privateInternet Protocol (IP) address (e.g., the private ip address 704) and/orhardware addresses (e.g., the hardware address 222) associated with asandbox reachable service 114 that previously operated on a commonshared network 202 with a client device 100. For example, FIG. 7 mayencompass a preference for associating a device with a hardware address222 where it is described a hardware address 222. A private IP address704 may change as devices move between networks. However, a hardwareaddress 222 may be a stable, long-term pseudonym for a device and thusmay serve a good value from which to derive a remote access token 702.

FIG. 8 is a schematic diagram of a private network 800 and a privatenetwork 802 communicating over the public Internet via a NAT device 804and a NAT device 806, according to one embodiment. FIG. 8 shows a clientdevice 100, a networked device 102, a pairing server 200, a privatenetwork 800, a private network 802, a NAT device 804, a NAT device 806,a private IP address 808, a private IP address 810, a public IP address812, a public IP address 814, a tablet device 816, a printer 818, and auser 820.

The private network 800 and the private network 802 communicatebidirectionally through the pairing server 200 of FIG. 8. According toone embodiment, a private network 800 may be a home network and/or anyother network with private IP space that may be behind a NAT device 804.According to one embodiment, a private network 802 may be an officenetwork and/or any other network with private IP space that may bebehind a NAT device 806. A client device 100 (e.g., laptop) and anetworked device 102 (e.g., television) may reside on networks that areincommunicable with each other comprising a firewall separation, adifferent network separation, a physical separation, and/or anunreachable connection separation. A sandboxed application 112 of asecurity sandbox 104 of the client device 100 and a sandbox reachableservice 114 of the networked device 102 may communicate with each otherthrough a relay service employed by a pairing server 200 having thediscovery module and the relay module to facilitate a trustedcommunication between the sandboxed application 112 and the sandboxreachable service 114.

The NAT device 804, the networked device 102, and the tablet device 816are all interconnected and exist within the private network 800 of FIG.8. According to one embodiment, a NAT device 804 may be a device formodifying IP address information in IP packet headers while in transitacross a traffic routing device. According to one embodiment, a tabletdevice 816 may be a one-piece mobile computer, primarily operated bytouchscreen and/or an onscreen virtual keyboard. A NAT device 804 may becoupled with a network on which a networked device 102 operates.

The NAT device 806, the client device 100, and the printer 818 are allinterconnected and exist within the private network 802 of FIG. 8.According to one embodiment, a NAT device 806 may be a device formodifying IP address information in IP packet headers while in transitacross a traffic routing device. According to one embodiment, a printer818 may be a peripheral device which produces a representation of anelectronic document on physical media. A NAT device 806 may be coupledwith a network on which a client device 100 operates.

The NAT device 804 connects to the pairing server 200 through the publicIP address 812 of FIG. 8. The NAT device 804 connects to the networkeddevice 102 through the private IP address 808 of the networked device102 of FIG. 8. According to one embodiment, a public IP address 812 maybe an IP address of a private network 800 that may be used to routepackets on the public Internet. According to one embodiment, a privateIP address 808 may be an IP address of a networked device 102 on aprivate network 800. A trusted communication may be facilitated in amanner such that a sandboxed application 112 never learns a private IPaddress 808 and/or a hardware address 222 of a networked device 102 whena NAT device 804 may translate a private IP address 808 of a networkeddevice 102 to a public IP address 812 visible to a sandboxed application112.

The NAT device 806 connects to the pairing server 200 through the publicIP address 814 of FIG. 8. The NAT device 806 connects to the clientdevice 100 through the private IP address 810 of the client device 100of FIG. 8. According to one embodiment, a public IP address 814 may bean IP address of a private network 802 that may be used to route packetson the public Internet. According to one embodiment, a private IPaddress 810 may be an IP address of a networked device 102 on a privatenetwork 802. A trusted communication may be facilitated in a manner suchthat a sandboxed application 112 never learns a private IP address 808and/or a hardware address 222 of a networked device 102 when a NATdevice 806 may receive communications from a public IP address 812 of aprivate network 800 on which a sandbox reachable service 114 operates.

For example, FIG. 8 may encompass a sandboxed application 112 beingconstrained to know nothing but a description and/or name of a service(e.g., no private IP address 808, no hardware address 222, no GUID 208)where it is described a private IP address 808.

FIG. 8 may also be applicable to a sandboxed application 112 beingconstrained to know nothing at all about who receives a communication(e.g., no private IP address 808, no hardware address 222, no GUID 208,no description and/or name of a service) where it is described a privateIP address 808, according to one embodiment. For example, a sandboxedapplication 112 may include a hyperlink 328 to a pairing server 200 inwhich the hyperlink 328 may specify a message but no recipienthttp://flingo.tv/fling/a?url=url_of_media_to_be_played. A pairing server200 may disambiguate an intended recipient (e.g., by returning a form338 to a user 820 in which the user 820 may select a sandbox reachableservice 114). A returned form 338 may execute in a security sandbox 104associated with a domain of a pairing server 200 which may be differentfrom a security sandbox 104 of a sandboxed application 112.

The user 820 exists within the private network 802 of FIG. 8. Accordingto one embodiment, a user 820 may be a human and/or software agent whouses a computer and/or network service.

In another aspect, a method of a client device includes constraining anexecutable environment in a security sandbox. The method also includesexecuting a sandboxed application in the executable environment using aprocessor and a memory. Further, the method includes automaticallyinstantiating a connection between the sandboxed application and asandbox reachable service of a networked media device.

The method may include processing an identification data associated withthe sandbox reachable service sharing a public address with the clientdevice. The method may also include determining a private address pairof the sandbox reachable service based on the identification data.Additionally, the method may include establishing a communicationsession between the sandboxed application and the sandbox reachableservice using a cross-site scripting technique of the security sandbox.Further, the method may include appending a header of a hypertexttransfer protocol to permit the networked media device to communicatewith the sandboxed application as a permitted origin domain through aCross-origin resource sharing (CORS) algorithm. The header may be eitherone of a origin header when the CORS algorithm is applied and a referrerheader in an alternate algorithm.

The method may further include accessing a pairing server whenprocessing the identification data associated with the sandbox reachableservice sharing the public address with the client device. The pairingserver may perform a discovery lookup of any device that has announcedthat it shares the public address associated with the client device. Thesandbox reachable service may announce itself to the pairing serverprior to the establishment of the communication session between thesandboxed application and the sandbox reachable service. The sandboxreachable service may also announce its availability across a range ofpublic addresses such that the sandboxed application communicates withthe sandbox reachable service in any one of the range of the publicaddresses. However, the range of public addresses may be known by thepairing server so that the announcement of the availability of thesandbox reachable service across the range of public addresses isunnecessary. The sandbox reachable service may communicate a globalunique identifier and/or an alphanumeric name to the pairing serveralong with the private address pair of the sandbox reachable service.The private address pair may include a private IP address and a portnumber associated with the sandbox reachable service.

The method may further include eliminating a communication through acentralized infrastructure when the sandboxed application and thesandbox reachable service communicate in a shared network common to theclient device and the networked media device when the connection isestablished. The shared network may be a local area network, a multicastnetwork, an anycast network, and/or a multilan network. The method mayalso include minimizing a latency in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked mediadevice when the connection is established. Further, the method mayinclude improving privacy in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked mediadevice when the connection is established.

The sandboxed application may be a web page, a script, a binaryexecutable, an intermediate bytecode, an abstract syntax tree, and/or anexecutable application in the security sandbox. The sandboxedapplication may comprise a markup language application such as aHyperText Markup Language 5 (HTML5) application, a Javascript®application, an Adobe® Flash® application, a Microsoft® Silverlight®application, a JQuery® application, and/or an Asynchronous Javascript®and a XML (AJAX) application. An access control algorithm may govern apolicy through which a secondary authentication is required whenestablishing a communication between the sandboxed application and thenetworked media device. The method may include utilizing an exception toa same origin policy through a use of a hyperlink, a form, the script, aframe, a header, and an image when establishing the connection betweenthe sandboxed application and the sandbox reachable service.

The method may include extending the security sandbox with a discoveryalgorithm and a relay algorithm through a discovery module and a relaymodule added to the security sandbox. The method may also includebypassing a pairing server having the discovery algorithm and the relayalgorithm when establishing the connection between the sandboxedapplication and the sandbox reachable service when the security sandboxis extended with the discovery algorithm and the relay algorithm throughthe discovery module and the relay module added to the security sandbox.

The method may further include applying the discovery algorithm of thesecurity sandbox to determine that the networked media device having thesandbox reachable service communicates in a shared network common to theclient device and the networked media device. The method may alsoinclude applying the relay algorithm of the security sandbox toestablish the connection between the sandboxed application and thesandbox reachable service of the networked media device. The discoveryalgorithm may utilize a protocol comprising a Bonjour® protocol, a SSDPprotocol, a LSD uTorrent® protocol, a multicast protocol, an anycastprotocol, and/or another Local Area Network (LAN) based protocol thatdiscovers services in a LAN based on a broadcast from any one of anoperating system service, the security sandbox, the client device, thesandbox reachable service, and the networked media device.

A cookie associated with the security sandbox may be used to store aremote access token on a storage of the client device. The remote accesstoken may identify a set of communicable private Internet Protocol (IP)addresses and/or hardware addresses associated with sandbox reachableservices that previously operated on a common shared network with theclient device. The client device may communicate with the sandboxreachable services that previously operated on the common shared networkthrough the remote access token.

The client device and the networked media device may reside on networksthat are incommunicable with each other comprising a firewallseparation, a different network separation, a physical separation,and/or an unreachable connection separation. The sandboxed applicationof the security sandbox of the client device and the sandbox reachableservice of the networked media device may communicate with each otherthrough a relay service employed by a pairing server having a discoverymodule and a relay module to facilitate a trusted communication betweenthe sandboxed application and the sandbox reachable service.

The trusted communication may be facilitated in a manner such that thesandboxed application never learns a private IP address and/or ahardware address of the networked media device. This may occur when afirst Network Address Translator (NAT) device receives communicationsfrom a public IP address of a different network on which the sandboxreachable service operates, and a second NAT device translates theprivate IP address of the networked media device to the public IPaddress visible to the sandboxed application. The first NAT device maybe coupled with a network on which the client device operates. Thesecond NAT device may be coupled with the different network on which thenetworked media device operates.

The networked media device may comprise a number of sandbox reachableapplications including the sandbox reachable application. A serviceagent module of the networked media device may coordinate communicationswith the discovery module of the security sandbox and/or the pairingserver. The security sandbox may be an operating system on which thesandboxed application is hosted and/or a browser application of theoperating system. The networked media device may be a television, aprojection screen, a multimedia display, a touchscreen display, an audiodevice, and/or a multidimensional visual presentation device.

The method may include utilizing a WebSocket and/or a long pollingservice message query interface to reduce a latency of message deliveryduring the trusted communication between the sandboxed application andthe sandbox reachable service. The method may also include optimizing apolling period between polling such that it is less than a timeoutperiod of a session through the relay service. The method may furtherinclude initiating the relay service through a series of web pages whereinformation is communicated using hyperlinks that point at the pairingserver, and/or a form having a confirmation dialog that is submittedback to the pairing server. A global unique identifier may be maskedthrough the pairing server when the confirmation dialog is served fromthe pairing server.

In one embodiment, a method of a networked device includes announcing asandbox reachable service of the networked device to a discovery moduleusing a processor and memory. The method also includes automaticallyinstantiating a communication between the sandbox reachable service ofthe networked device and a client device when a relay module sends arequest from a sandboxed application of the client device to the sandboxreachable service.

In yet another embodiment, a system includes a networked device toannounce a sandbox reachable service of the networked device to adiscovery module using a processor and memory. The system also includesa client device to constrain an executable environment in a securitysandbox, to execute a sandboxed application in the security sandbox, andto automatically instantiate a connection between the sandboxedapplication and the sandbox reachable service of the networked device.

In still another embodiment, a method of a pairing server includesreceiving, storing using a processor and a memory, and communicating toa client device a global unique identifier and/or an alphanumeric namein an announcement from a networked device along with a hardware addressassociated with the networked device, a public address pair associatedwith a sandbox reachable service of the networked device, and/or aprivate address pair associated with the sandbox reachable service ofthe networked device when a shared network is determined to be commonlyassociated with the client device and the networked device. The sharednetwork is a local area network, a multicast network, an anycastnetwork, and/or a multilan network.

For example, Jane may watch the local news and/or access an applicationthrough her mobile device while sitting on a couch in her living room.Jane may wish to automatically display the local news and/or applicationof a big screen television in front of her couch. Jane may use a gestureto transport the local news and/or application to the big screentelevision. For example, Jane may ‘fling’ (or flick) the screen on hermobile device in which the local news and/or application is running inan upward motion, and instantly transport the local news and/orapplication onto her big screen television. In an alternate embodiment,the big screen television may automatically detect that Jane is playingthe local news and/or running the application on her mobile device andautomatically launch the local news (in its current play state) and/orrun the application on the big screen television after detection(without requiring a fling or flick haptic gesture by Jane).

While Jane is playing the local news and/or running the application onthe big screen television, Jane may see advertisements that relate towhere she is located, where she works, and/or what she is currentlywatching on the big screen television on her mobile device through thecapture infrastructure described herein. Conversely, if Jane wereplaying the local news and/or running the application on her mobiledevice, she could see advertisements directly related to the activitiesshe is currently doing on her big screen television (and orsimultaneously on the mobile device). This is made possible through thevarious methods and techniques described herein, particularly withrespect to improvement of advertisement targeting through embeddedscripts in supply-side and/or demand-side platforms.

Although the present embodiments have been described with reference tospecific example embodiments, it will be evident that variousmodifications and changes may be made to these embodiments withoutdeparting from the broader spirit and scope of the various embodiments.For example, the various devices and modules described herein may beenabled and operated using hardware circuitry (e.g., CMOS based logiccircuitry), firmware, software or any combination of hardware, firmware,and/or software (e.g., embodied in a machine readable medium). Forexample, the various electrical structure and methods may be embodiedusing transistors, logic gates, and/or electrical circuits (e.g.,application specific integrated (ASIC) circuitry and/or Digital SignalProcessor (DSP) circuitry).

In addition, it will be appreciated that the various operations,processes, and/or methods disclosed herein may be embodied in amachine-readable medium and/or a machine accessible medium compatiblewith a data processing system (e.g., a computer device). Accordingly,the specification and drawings are to be regarded in an illustrative inrather than a restrictive sense.

What is claimed is:
 1. A method of a client device comprising: applyingan automatic content recognition algorithm to determine a contentidentifier of an audio-visual data; and associating the contentidentifier with an advertisement data based on a semantic correlationbetween a meta-data of the advertisement data provided by a contentprovider and the content identifier, wherein advertisement targeting isimproved when a script is embedded in at least one of the client device,a supply-side platform, and a data provider integrated with the supplyside platform, to execute arbitrary cross-site scripts in the sandboxedapplication of the client device, wherein the content identifier isobfuscated in a manner that it is relevant to a particular demand-sideplatform to eliminate a need to query the provider of the contentidentifier on a per ad-spot basis, and wherein the demand-side platformto submit requests to the advertising exchange based on a constrainttype rather than through a bidding methodology on a per advertisementspot basis.
 2. The method of claim 1 further comprising: wherein theadvertisement data is generated through an advertising exchange serverbased on the content identifier of the audio-visual data and a publicinternet-protocol address associated with an application requesting theadvertisement data. wherein a provider of the content identifierreceives a compensation when the advertisement data is associated withthe audio-visual data based on the public internet protocol addressassociated with the application requesting the advertisement data,wherein the provider of the content appends at least one of a set ofcontent identifiers from associated clients and a viewing history fromassociated clients to a plurality of advertisements and resells theadvertisement data back to the advertising exchange based on theappended content identifiers, wherein a capture infrastructure annotatesthe audio-visual data with at least one of a brand name and a productname by comparing entries in the master database with at least one of aclosed captioning data of the audio-visual data and through anapplication of an optical character recognition algorithm in theaudio-visual data, wherein a sandboxed application of the client devicerequests access to at least one of a microphone and a camera on theclient device to capture a raw audio/video data, wherein the captureinfrastructure processes the raw audio/video data with at least one ofthe brand name and the product name by comparing entries in the masterdatabase with at least one of the raw audio/video data and through theapplication of a sensory recognition algorithm of the raw audio/videodata, wherein the content identifier is at least one of a musicidentification, an object identification, a facial identification, and avoice identification, wherein a minimal functionality comprisingaccessing at least one of a tuner and a stream decoder that identifiesat least one of a channel and a content is found in the networked mediadevice, wherein the networked media device produces at least one of anaudio fingerprint and a video fingerprint that are communicated with thecapture infrastructure, wherein the capture infrastructure compares atleast one of the audio fingerprint and the video fingerprint with amaster database, wherein the capture infrastructure annotates theaudio-visual data with a logo name by comparing entries in the masterdatabase with a logo data of the audio-visual data identified using alogo detection algorithm, wherein the capture infrastructureautomatically divides the audio-visual data into a series of scenesbased on a sematic grouping of actions in the audio-visual data, whereinthe audio-visual data is analyzed in advance of a broadcast to determinecontent identifiers associated with each commercial in the audio-visualdata such that advertisements are pre-inserted into the audio-visualdata prior to broadcast, wherein the capture infrastructure applies atime-order algorithm to automatically match advertisements to theaudio-visual data when a correlation pattern is identified by thecapture infrastructure with other audio-visual content previouslyanalyzed, wherein the capture infrastructure includes a buffer that issaved to a persistent storage and for which a label is generated tofacilitate identification of reoccurring sequences, wherein a postprocessing operation is at least one of automated through apost-processing algorithm and a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input, wherein a device pairing algorithm is used inwhich a cookie data associated with a web page visited by the userstored on a browser on the client device is paired with the networkedmedia device when the client device is communicatively coupled with thenetworked media device, wherein a transitive public IP matchingalgorithm is utilized in which at least one of the client device and thenetworked media device communicates each public IP address with anypaired entity to the capture infrastructure, and wherein a tag that isunconstrained from a same-origin policy is used to automatically loadthe advertisement in the browser, wherein the tag is at least one of animage tag, a frame, a iframe, and a script tag.
 3. The method of claim 1further comprising: referencing an additional metadata comprising atleast one of the content identifier and the advertisement based on avideo processing algorithm, wherein the additional meta data is at leastone of a title, a description, a thumbnail, a name of an individual, anda historical data, and wherein the additional metadata is determinedfrom a browser history captured from the client device based on acapture policy, and correlating a relevance of the browser history withat least one of the content identifier and the advertisement;constraining an executable environment in a security sandbox; executinga sandboxed application in the executable environment using a processorand a memory; automatically instantiating a connection between thesandboxed application and the unannounced device associated with thenetworked media device based on the determination that the internetprotocol address of the port from the unannounced device is associatedwith the networked media device; processing an identification dataassociated with the sandbox reachable service sharing a public addresswith the client device; determining a private address pair of thesandbox reachable service based on the identification data; establishinga communication session between the sandboxed application and thesandbox reachable service using a cross-site scripting technique of thesecurity sandbox; and appending a header of a hypertext transferprotocol to permit the networked media device to communicate with thesandboxed application as a permitted origin domain through aCross-origin resource sharing (CORS) algorithm, wherein the header iseither one of a origin header when the CORS algorithm is applied and areferrer header in an alternate algorithm, wherein the sandboxedapplication queries a MAC address of the sandbox reachable service in acommon private network, wherein the sandbox reachable service optionallyverifies that the sandboxed application is in the common privatenetwork, wherein the sandbox reachable service communications a MACaddress of the sandboxed application to the sandboxed application whenthe common private network is shared, wherein the sandboxed applicationstores the MAC address of the sandboxed application and a uniqueidentifier derived from the MAC address of the sandboxed application,wherein the sandboxed application communicates the MAC address and theunique identifier to the pairing server, and automatically regeneratinga script embedded in at least one of the client device, a supply-sideplatform, and a data provider integrated with the supply side platformwhen the common private network is shared by the sandboxed applicationand sandboxed application based on the MAC address of the sandboxedapplication and the unique identifier communicated to the pairingserver.
 4. The method of claim 3 further comprising: accessing a pairingserver when processing the identification data associated with thesandbox reachable service sharing the public address with the clientdevice, wherein the pairing server performs a discovery lookup of anydevice that has announced that it shares the public address associatedwith the client device, and wherein the sandbox reachable serviceannounces itself to the pairing server prior to the establishment of thecommunication session between the sandboxed application and the sandboxreachable service.
 5. The method of claim 4 further comprising at leastone of: wherein the sandbox reachable service announces an availabilityof the sandbox reachable service across a range of public addresses suchthat the sandboxed application communicates with the sandbox reachableservice in any one of the range of the public addresses, wherein therange of public addresses is known by the pairing server so that theannouncement of the availability of the sandbox reachable service acrossthe range of public addresses is unnecessary, wherein the sandboxreachable service communicates at least one of a global uniqueidentifier and an alphanumeric name to the pairing server along with theprivate address pair of the sandbox reachable service, and wherein theprivate address pair includes a private IP address and a port numberassociated with the sandbox reachable service.
 6. The method of claim 3further comprising: eliminating a communication through a centralizedinfrastructure when the sandboxed application and the sandbox reachableservice communicate in a shared network common to the client device andthe networked media device when the connection is established, whereinthe shared network is at least one of the local area network, amulticast network, an anycast network, and a multilan network;minimizing a latency in the communication session when the sandboxedapplication and the sandbox reachable service communicate in the sharednetwork common to the client device and the networked media device whenthe connection is established; and improving privacy in thecommunication session when the sandboxed application and the sandboxreachable service communicate in the shared network common to the clientdevice and the networked media device when the connection isestablished.
 7. The method of claim 3 further comprising: wherein thesandboxed application is at least one of a web page, a script, a binaryexecutable, an intermediate bytecode, an abstract syntax tree, and anexecutable application in the security sandbox, wherein the sandboxedapplication comprises at least one of a markup language application suchas a HyperText Markup Language 5 (HTML5) application, a Javascript®application, an Adobe® Flash® application, a Microsoft® Silverlight®application, a JQuery® application, and an Asynchronous Javascript® anda XML (AJAX) application, and wherein an access control algorithmgoverns a policy through which a secondary authentication is requiredwhen establishing a communication between the sandboxed application andthe networked media device.
 8. The method of claim 7 further comprising:utilizing an exception to a same origin policy through a use of at leastone of a hyperlink, a form, the script, a frame, a header, and an imagewhen establishing the connection between the sandboxed application andthe sandbox reachable service.
 9. The method of claim 3 furthercomprising: extending the security sandbox with a discovery algorithmand a relay algorithm through a discovery module and a relay moduleadded to the security sandbox; and bypassing a pairing server having thediscovery algorithm and the relay algorithm when establishing theconnection between the sandboxed application and the sandbox reachableservice when the security sandbox is extended with the discoveryalgorithm and the relay algorithm through the discovery module and therelay module added to the security sandbox.
 10. The method of claim 9further comprising: applying the discovery algorithm of the securitysandbox to determine that the networked media device having the sandboxreachable service communicates in a shared network common to the clientdevice and the networked media device; and applying the relay algorithmof the security sandbox to establish the connection between thesandboxed application and the sandbox reachable service of the networkedmedia device.
 11. The method of claim 10: wherein the discoveryalgorithm utilizes a protocol comprising at least one of a Bonjour®protocol, a SSDP protocol, a LSD uTorrent® protocol, a multicastprotocol, an anycast protocol, and another Local Area Network (LAN)based protocol that discovers services in a LAN based on a broadcastfrom any one of an operating system service, the security sandbox, theclient device, the sandbox reachable service, and the networked mediadevice.
 12. The method of claim 3: wherein a cookie associated with thesecurity sandbox is used to store a remote access token on a storage ofthe client device, wherein the remote access token identifies at leastone of a set of communicable private Internet Protocol (IP) addressesand hardware addresses associated with sandbox reachable services thatpreviously operated on a common shared network with the client device,and wherein the client device can communicate with the sandbox reachableservices that previously operated on the common shared network throughthe remote access token.
 13. The method of claim 3: wherein the clientdevice and the networked media device reside on networks that areincommunicable with each other comprising at least one of a firewallseparation, a different network separation, a physical separation, anunreachable connection separation, and wherein the sandboxed applicationof the security sandbox of the client device and the sandbox reachableservice of the networked media device communicate with each otherthrough a relay service employed by a pairing server having a discoverymodule and a relay module to facilitate a trusted communication betweenthe sandboxed application and the sandbox reachable service.
 14. Themethod of claim 13: wherein the trusted communication is facilitated ina manner such that the sandboxed application never learns at least oneof a private IP address and a hardware address of the networked mediadevice when: a first Network Address Translator (NAT) device coupledwith a network on which the client device operates to receivecommunications from a public IP address of a different network on whichthe sandbox reachable service operates, and wherein a second NAT devicecoupled with the different network on which the networked media deviceoperates to translate the private IP address of the networked mediadevice to the public IP address visible to the sandboxed application.15. The method of claim 14: wherein the networked media device comprisesa plurality of sandbox reachable applications including the sandboxreachable application, and wherein a service agent module of thenetworked media device coordinates communications with the discoverymodule of at least one of the security sandbox and the pairing server,wherein the security sandbox is at least one of an operating system onwhich the sandboxed application is hosted and a browser application ofthe operating system, and wherein the networked media device is at leastone of a television, a projection screen, a multimedia display, atouchscreen display, an audio device, and a multidimensional visualpresentation device.
 16. The method of claim 15 further comprising:utilizing at least one of a WebSocket and a long polling service messagequery interface to reduce a latency of message delivery during thetrusted communication between the sandboxed application and the sandboxreachable service; and optimizing a polling period between polling suchthat it is less than a timeout period of a session through the relayservice.
 17. The method of claim 16 further comprising: initiating therelay service through at least one of a series of web pages whereinformation is communicated using hyperlinks that point at the pairingserver, and a form having a confirmation dialog that is submitted backto the pairing server, and wherein a global unique identifier is maskedthrough the pairing server when the confirmation dialog is served fromthe pairing server.
 18. A method of a networked device comprising:applying an automatic content recognition algorithm to determine acontent identifier of an audio-visual data; and associating the contentidentifier with an advertisement data based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand the content identifier, wherein advertisement targeting is improvedwhen a script is embedded in at least one of the client device, asupply-side platform, and a data provider integrated with the supplyside platform, to execute arbitrary cross-site scripts in the sandboxedapplication of the client device, wherein the content identifier isobfuscated in a manner that it is relevant to a particular demand-sideplatform to eliminate a need to query the provider of the contentidentifier on a per ad-spot basis, and wherein the demand-side platformto submit requests to the advertising exchange based on a constrainttype rather than through a bidding methodology on a per advertisementspot basis.
 19. The method of claim 18 further comprising at least oneof the following clauses: wherein the advertisement data is generatedthrough an advertising exchange server based on the content identifierof the audio-visual data and a public internet-protocol addressassociated with an application requesting the advertisement data.wherein a provider of the content identifier receives a compensationwhen the advertisement data is associated with the audio-visual databased on the public internet protocol address associated with theapplication requesting the advertisement data, wherein the provider ofthe content appends at least one of a set of content identifiers fromassociated clients and a viewing history from associated clients to aplurality of advertisements and resells the advertisement data back tothe advertising exchange based on the appended content identifiers,wherein a capture infrastructure annotates the audio-visual data with atleast one of a brand name and a product name by comparing entries in themaster database with at least one of a closed captioning data of theaudio-visual data and through an application of an optical characterrecognition algorithm in the audio-visual data, wherein a sandboxedapplication of the client device requests access to at least one of amicrophone and a camera on the client device to capture a rawaudio/video data, wherein the capture infrastructure processes the rawaudio/video data with at least one of the brand name and the productname by comparing entries in the master database with at least one ofthe raw audio/video data and through the application of a sensoryrecognition algorithm of the raw audio/video data, wherein the contentidentifier is at least one of a music identification, an objectidentification, a facial identification, and a voice identification,wherein a minimal functionality comprising accessing at least one of atuner and a stream decoder that identifies at least one of a channel anda content is found in the networked device, wherein the networked deviceproduces at least one of an audio fingerprint and a video fingerprintthat are communicated with the capture infrastructure, wherein thecapture infrastructure compares at least one of the audio fingerprintand the video fingerprint with a master database, wherein the captureinfrastructure annotates the audio-visual data with a logo name bycomparing entries in the master database with a logo data of theaudio-visual data identified using a logo detection algorithm, whereinthe capture infrastructure automatically divides the audio-visual datainto a series of scenes based on a sematic grouping of actions in theaudio-visual data, wherein the audio-visual data is analyzed in advanceof a broadcast to determine content identifiers associated with eachcommercial in the audio-visual data such that advertisements arepre-inserted into the audio-visual data prior to broadcast, wherein thecapture infrastructure applies a time-order algorithm to automaticallymatch advertisements to the audio-visual data when a correlation patternis identified by the capture infrastructure with other audio-visualcontent previously analyzed, wherein the capture infrastructure includesa buffer that is saved to a persistent storage and for which a label isgenerated to facilitate identification of reoccurring sequences, whereina post processing operation is at least one of automated through apost-processing algorithm and a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input, wherein a device pairing algorithm is used inwhich a cookie data associated with a web page visited by the userstored on a browser on a client device is paired with the networkeddevice when the client device is communicatively coupled with thenetworked device, wherein a transitive public IP matching algorithm isutilized in which at least one of the client device and the networkeddevice communicates each public IP address with any paired entity to thecapture infrastructure, wherein a tag that is unconstrained from asame-origin policy is used to automatically load the advertisement inthe browser, wherein the tag is at least one of an image tag, a frame, aiframe, and a script tag.
 20. The method of claim 19 further comprising:accessing a pairing server when processing an identification dataassociated with a sandbox reachable service of the networked device thatshares a public address with a client device, wherein the pairing serverperforms a discovery lookup of any device that has announced that itshares the public address associated with the client device, and whereinthe sandbox reachable service announces itself to the pairing serverprior to the establishment of the communication session between thesandboxed application and the sandbox reachable service. appending aheader of a hypertext transfer protocol to permit the networked deviceto communicate with the sandboxed application as a permitted origindomain through a Cross-origin resource sharing (CORS) algorithm, whereinthe header is either one of a origin header when the CORS algorithm isapplied and a referrer header in an alternate algorithm, and wherein theclient device to operate in at least one manner such that the clientdevice: to process an identification data associated with the sandboxreachable service sharing a public address with the client device; todetermine a private address pair of the sandbox reachable service basedon the identification data; and to establish a communication sessionbetween the sandboxed application and the sandbox reachable serviceusing a cross-site scripting technique of a security sandbox, whereinthe sandboxed application queries a MAC address of the sandbox reachableservice in a common private network, wherein the sandbox reachableservice optionally verifies that the sandboxed application is in thecommon private network, wherein the sandbox reachable servicecommunications a MAC address of the sandboxed application to thesandboxed application when the common private network is shared, whereinthe sandboxed application stores the MAC address of the sandboxedapplication and a unique identifier derived from the MAC address of thesandboxed application, wherein the sandboxed application communicatesthe MAC address and the unique identifier to the pairing server, andautomatically regenerating a script embedded in at least one of theclient device, a supply-side platform, and a data provider integratedwith the supply side platform when the common private network is sharedby the sandboxed application and sandboxed application based on the MACaddress of the sandboxed application and the unique identifiercommunicated to the pairing server.
 21. The method of claim 20 whereinthe client device: to access a pairing server when processing theidentification data associated with the sandbox reachable servicesharing the public address with the client device, wherein the pairingserver performs a discovery lookup of any devices that have announcedthat they share the public address associated with the client device,and wherein the sandbox reachable service announces itself to thepairing server prior to the establishment of the communication sessionbetween the sandboxed application and the sandbox reachable service. 22.The method of claim 21 further comprising at least one of: announcing anavailability of the sandbox reachable service across a range of publicaddresses such that the sandboxed application communicates with thesandbox reachable service in any one of the range of the publicaddresses; and communicating at least one of a global unique identifier,a hardware address, and an alphanumeric name to the pairing server alongwith the private address pair of the sandbox reachable service, andwherein the private address pair includes a private IP address and aport number associated with the sandbox reachable service.
 23. Themethod of claim 21 further comprising: eliminating a communicationthrough a centralized infrastructure when the sandboxed application andthe sandbox reachable service communicate in a shared network common tothe client device and the networked device when the communication isestablished, wherein the shared network is at least one of a local areanetwork, a multicast network, an anycast network, and a multilannetwork; minimizing a latency in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked devicewhen the communication is established; and improving privacy in thecommunication session when the sandboxed application and the sandboxreachable service communicate in the shared network common to the clientdevice and the networked device when the communication is established.24. The method of claim 20: wherein the sandboxed application is atleast one of a web page, a script, a binary executable, an intermediatebytecode, an abstract syntax tree, and an executable application in asecurity sandbox, wherein the sandboxed application comprises at leastone of a markup language application such as a HyperText Markup Language5 (HTML5) application, a Javascript® application, an Adobe® Flash®application, a Microsoft® Silverlight® application, a JQuery®application, and an Asynchronous Javascript® and a XML (AJAX)application, and wherein an access control algorithm governs a policythrough which a secondary authentication is required when establishing acommunication between the sandboxed application and the networkeddevice.
 25. The method of claim 24 wherein the client device: to utilizean exception to a same origin policy through a use of at least one of ahyperlink, a form, the script, a frame, a header, and an image whenestablishing the communication between the sandboxed application and thesandbox reachable service.
 26. The method of claim 20 wherein the clientdevice: to extend a security sandbox with a discovery algorithm and arelay algorithm through the discovery module and the relay module addedto the security sandbox; and to bypass a pairing server having thediscovery algorithm and the relay algorithm when establishing thecommunication between the sandboxed application and the sandboxreachable service when the security is extended with the discoveryalgorithm and the relay algorithm through the discovery module and therelay module added to the security sandbox.
 27. The method of claim 26wherein the client device: to apply the discovery algorithm of thesecurity sandbox to determine that the networked device having thesandbox reachable service communicates in a shared network common to theclient device and the networked device; and to apply the relay algorithmof the security sandbox to establish the communication between thesandboxed application and the sandbox reachable service of the networkeddevice.
 28. The method of claim 27: wherein the discovery algorithmutilizes a protocol comprising at least one of a Bonjour® protocol, aSSDP protocol, a LSD uTorrent® protocol, a multicast protocol, ananycast protocol, and another Local Area Network (LAN) based protocolthat discovers services in a LAN based on a broadcast from any one of anoperating system service, the security sandbox, the client device, thesandbox reachable service, and the networked device.
 29. The method ofclaim 28: wherein a cookie associated with the security sandbox is usedto store a remote access token on a storage of the client device,wherein the remote access token identifies at least one of a set ofcommunicable private Internet Protocol (IP) addresses and hardwareaddresses associated with sandbox reachable services that previouslyoperated on a common shared network with the client device, and whereinthe client device can communicate with the sandbox reachable servicesthat previously operated on the common shared network through the remoteaccess token.
 30. The method of claim 29: wherein the client device andthe networked device reside on networks that are incommunicable witheach other comprising at least one of a firewall separation, a differentnetwork separation, a physical separation, an unreachable connectionseparation, and wherein the sandboxed application of the securitysandbox of the client device and the sandbox reachable service of thenetworked device communicate with each other through a relay serviceemployed by the pairing server having the discovery module and the relaymodule to facilitate a trusted communication between the sandboxedapplication and the sandbox reachable service.
 31. The method of claim30: wherein the trusted communication is facilitated in a manner suchthat the sandboxed application never learns at least one of a private IPaddress and a hardware address of the networked device when: a firstNetwork Address Translator (NAT) device coupled with a network on whichthe client device operates to receives communications from a public IPaddress of a different network on which the sandbox reachable serviceoperates, and wherein a second NAT device coupled with the differentnetwork on which the networked device operates to translates the privateIP address of the networked device to the public IP address visible tothe sandboxed application.
 32. The method of claim 31: wherein thenetworked device comprises a plurality of sandbox reachable applicationsincluding the sandbox reachable application, and wherein a service agentmodule of the networked device coordinates communications with thediscovery module of at least one of the security sandbox and the pairingserver, wherein the security sandbox is at least one of an operatingsystem on which the sandboxed application is hosted and a browserapplication of the operating system, and wherein the networked device isat least one of a television, a projection screen, a multimedia display,a touchscreen display, an audio device, a weather measurement device, atraffic monitoring device, a status update device, a global positioningdevice, a geospatial estimation device, a tracking device, abidirectional communication device, a unicast device, a broadcastdevice, and a multidimensional visual presentation device.
 33. Themethod of claim 32 wherein the client device: to utilize at least one ofa WebSocket and a long polling service message query interface to reducea latency of message delivery during the trusted communication betweenthe sandboxed application and the sandbox reachable service; and tooptimize a polling period between polling such that it is less than atimeout period of a session through the relay service.
 34. The method ofclaim 33 wherein the client device: to initiate the relay servicethrough at least one of a series of web pages where information iscommunicated using hyperlinks that point at the pairing server, and aform having a confirmation dialog that is submitted back to the pairingserver, and wherein a global unique identifier is masked through thepairing server when the confirmation dialog is served from the pairingserver.
 35. A system comprising: a networked device and a client deviceto apply an automatic content recognition algorithm to determine acontent identifier of an audio-visual data and to associate the contentidentifier with an advertisement data based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand the content identifier; a capture infrastructure to annotate theaudio-visual data with at least one of a brand name and a product nameby comparing entries in the master database with at least one of aclosed captioning data of the audio-visual data and through anapplication of an optical character recognition algorithm in theaudio-visual data; and an advertising exchange server to generate anadvertisement based on the content identifier of the audio-visual dataand a public internet-protocol address associated with an applicationrequesting the advertisement data, and wherein advertisement targetingis improved when a script is embedded in at least one of the clientdevice, a supply-side platform, and a data provider integrated with thesupply side platform, to execute arbitrary cross-site scripts in thesandboxed application of the client device, wherein the contentidentifier is obfuscated in a manner that it is relevant to a particulardemand-side platform to eliminate a need to query the provider of thecontent identifier on a per ad-spot basis, and wherein the demand-sideplatform to submit requests to the advertising exchange based on aconstraint type rather than through a bidding methodology on a peradvertisement spot basis.
 36. The system of claim 35 further comprisingat least one of the following clauses: wherein a provider of the contentidentifier receives a compensation when the advertisement data isassociated with the audio-visual data based on the public internetprotocol address associated with the application requesting theadvertisement data, wherein the provider of the content appends at leastone of a set of content identifiers from associated clients and aviewing history from associated clients to a plurality of advertisementsand resells the advertisement data back to the advertising exchangebased on the appended content identifiers, wherein a captureinfrastructure annotates the audio-visual data with at least one of abrand name and a product name by comparing entries in the masterdatabase with at least one of a closed captioning data of theaudio-visual data and through an application of an optical characterrecognition algorithm in the audio-visual data, wherein a sandboxedapplication of the client device requests access to at least one of amicrophone and a camera on the client device to capture a rawaudio/video data, wherein the capture infrastructure processes the rawaudio/video data with at least one of the brand name and the productname by comparing entries in the master database with at least one ofthe raw audio/video data and through the application of a sensoryrecognition algorithm of the raw audio/video data, wherein the contentidentifier is at least one of a music identification, an objectidentification, a facial identification, and a voice identification,wherein a minimal functionality comprising accessing at least one of atuner and a stream decoder that identifies at least one of a channel anda content is found in the networked media device, wherein the networkedmedia device produces at least one of an audio fingerprint and a videofingerprint that are communicated with a capture infrastructure, whereinthe capture infrastructure compares at least one of the audiofingerprint and the video fingerprint with a master database, whereinthe capture infrastructure annotates the audio-visual data with a logoname by comparing entries in the master database with a logo data of theaudio-visual data identified using a logo detection algorithm, whereinthe capture infrastructure automatically divides the audio-visual datainto a series of scenes based on a sematic grouping of actions in theaudio-visual data, wherein the audio-visual data is analyzed in advanceof a broadcast to determine content identifiers associated with eachcommercial in the audio-visual data such that advertisements arepre-inserted into the audio-visual data prior to broadcast, wherein thecapture infrastructure applies a time-order algorithm to automaticallymatch advertisements to the audio-visual data when a correlation patternis identified by the capture infrastructure with other audio-visualcontent previously analyzed, wherein the capture infrastructure includesa buffer that is saved to a persistent storage and for which a label isgenerated to facilitate identification of reoccurring sequences, whereina post processing operation is at least one of automated through apost-processing algorithm and a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input, wherein a device pairing algorithm is used inwhich a cookie data associated with a web page visited by the userstored on a browser on the client device is paired with the networkedmedia device when the client device is communicatively coupled with thenetworked media device, wherein a transitive public IP matchingalgorithm is utilized in which at least one of the client device and thenetworked media device communicates each public IP address with anypaired entity to the capture infrastructure, and wherein a tag that isunconstrained from a same-origin policy is used to automatically loadthe advertisement in the browser, wherein the tag is at least one of animage tag, a frame, a iframe, and a script tag.
 37. The system of claim36: wherein the communication session is established by appending aheader of a hypertext transfer protocol to permit the networked deviceto communicate with the sandboxed application as a permitted origindomain through a Cross-origin resource sharing (CORS) algorithm, whereinthe header is either one of a origin header when the CORS algorithm isapplied and a referrer header in an alternate algorithm, wherein thesandboxed application queries a MAC address of the sandbox reachableservice in a common private network, wherein the sandbox reachableservice optionally verifies that the sandboxed application is in thecommon private network, wherein the sandbox reachable servicecommunications a MAC address of the sandboxed application to thesandboxed application when the common private network is shared, whereinthe sandboxed application stores the MAC address of the sandboxedapplication and a unique identifier derived from the MAC address of thesandboxed application, wherein the sandboxed application communicatesthe MAC address and the unique identifier to the pairing server, andautomatically regenerating a script embedded in at least one of theclient device, a supply-side platform, and a data provider integratedwith the supply side platform when the common private network is sharedby the sandboxed application and sandboxed application based on the MACaddress of the sandboxed application and the unique identifiercommunicated to the pairing server.
 38. The system of claim 36 whereinthe client device: to access a pairing server when processing theidentification data associated with the sandbox reachable servicesharing the public address with the client device, wherein the pairingserver performs a discovery lookup of any device that have announcedthat they share the public address associated with the client device,and wherein the sandbox reachable service announces itself to thepairing server prior to the establishment of the communication sessionbetween the sandboxed application and the sandbox reachable service. 39.The system of claim 38 wherein the networked device to at least one of:announce a sandbox reachable service of the networked device to adiscovery module using a processor and memory, announce an availabilityof the sandbox reachable service across a range of public addresses suchthat the sandboxed application communicates with the sandbox reachableservice in any one of the range of the public addresses, communicate atleast one of a global unique identifier and an alphanumeric name to thepairing server along with at least one of a hardware address associatedwith the networked device, a public address pair associated with asandbox reachable service of the networked device, and a private addresspair associated with the sandbox reachable service of the networkeddevice, and wherein the private address pair includes a private IPaddress and a port number associated with the sandbox reachable service.40. The system of claim 39 wherein the client device: to eliminate acommunication through a centralized infrastructure when the sandboxedapplication and the sandbox reachable service communicate in a sharednetwork common to the client device and the networked device when theconnection is established, wherein the shared network is at least one ofa local area network, a multicast network, an anycast network, and amultilan network; to minimize a latency in the communication sessionwhen the sandboxed application and the sandbox reachable servicecommunicate in the shared network common to the client device and thenetworked device when the connection is established; and to improveprivacy in the communication session when the sandboxed application andthe sandbox reachable service communicate in the shared network commonto the client device and the networked device when the connection isestablished.
 41. The system of claim 36: wherein the sandboxedapplication is at least one of a web page, a script, a binaryexecutable, an intermediate bytecode, an abstract syntax tree, and anexecutable application in the security sandbox, wherein the sandboxedapplication comprises at least one of a markup language application suchas a HyperText Markup Language 5 (HTML5) application, a Javascript®application, an Adobe® Flash® application, a Microsoft® Silverlight®application, a JQuery® application, and an Asynchronous Javascript® anda XML (AJAX) application, and wherein an access control algorithmgoverns a policy through which a secondary authentication is requiredwhen establishing a communication between the sandboxed application andthe networked device.
 42. The system of claim 41 wherein the clientdevice: to utilize an exception to a same origin policy through a use ofat least one of a hyperlink, a form, the script, a frame, a header, andan image when establishing the connection between the sandboxedapplication and the sandbox reachable service.
 43. The system of claim36 wherein the client device: to extend the security sandbox with adiscovery algorithm and a relay algorithm through the discovery moduleand a relay module added to the security sandbox, and to bypass apairing server having the discovery algorithm and the relay algorithmwhen establishing the connection between the sandboxed application andthe sandbox reachable service when the security is extended with thediscovery algorithm and the relay algorithm through the discovery moduleand the relay module added to the security sandbox.
 44. The system ofclaim 43 wherein the client device: to apply the discovery algorithm ofthe security sandbox to determine that the networked device having thesandbox reachable service communicates in a shared network common to theclient device and the networked device, and to apply the relay algorithmof the security sandbox to establish the connection between thesandboxed application and the sandbox reachable service of the networkeddevice.
 45. The system of claim 44: wherein the discovery algorithmutilizes a protocol comprising at least one of a Bonjour® protocol, aSSDP protocol, a LSD uTorrent® protocol, a multicast protocol, ananycast protocol, and another Local Area Network (LAN) based protocolthat discovers services in a LAN based on a broadcast from any one of anoperating system service, the security sandbox, the client device, thesandbox reachable service, and the networked device.
 46. The system ofclaim 45: wherein a cookie associated with the security sandbox is usedto store a remote access token on a storage of the client device,wherein the remote access token identifies at least one of a set ofcommunicable private Internet Protocol (IP) addresses and hardwareaddresses associated with sandbox reachable services that previouslyoperated on a common shared network with the client device, and whereinthe client device can communicate with the sandbox reachable servicesthat previously operated on the common shared network through the remoteaccess token.
 47. The system of claim 46: wherein the client device andthe networked device reside on networks that are incommunicable witheach other comprising at least one of a firewall separation, a differentnetwork separation, a physical separation, an unreachable connectionseparation, and wherein the sandboxed application of the securitysandbox of the client device and the sandbox reachable service of thenetworked device communicate with each other through a relay serviceemployed by the pairing server having the discovery module and the relaymodule to facilitate a trusted communication between the sandboxedapplication and the sandbox reachable service.
 48. The system of claim47: wherein the trusted communication is facilitated in a manner suchthat the sandboxed application never learns at least one of a private IPaddress and a hardware address of the networked device when: a firstNetwork Address Translator (NAT) device coupled with a network on whichthe client device operates to receives communications from a public IPaddress of a different network on which the sandbox reachable serviceoperates, and wherein a second NAT device coupled with the differentnetwork on which the networked device operates to translates the privateIP address of the networked device to the public IP address visible tothe sandboxed application.
 49. The system of claim 48: wherein thenetworked device comprises a plurality of sandbox reachable applicationsincluding the sandbox reachable application, and wherein a service agentmodule of the networked device coordinates communications with thediscovery module of at least one of the security sandbox and the pairingserver, wherein the security sandbox is at least one of an operatingsystem on which the sandboxed application is hosted and a browserapplication of the operating system, and wherein the networked device isat least one of a television, a projection screen, a multimedia display,a touchscreen display, an audio device, a weather measurement device, atraffic monitoring device, a status update device, a global positioningdevice, a geospatial estimation device, a tracking device, abidirectional communication device, a unicast device, a broadcastdevice, and a multidimensional visual presentation device.
 50. Thesystem of claim 49 wherein the client device: to utilize at least one ofa WebSocket and a long polling service message query interface to reducea latency of message delivery during the trusted communication betweenthe sandboxed application and the sandbox reachable service, and tooptimize a polling period between polling such that it is less than atimeout period of a session through the relay service.
 51. The system ofclaim 50 wherein the client device: to initiate the relay servicethrough at least one of a series of web pages where information iscommunicated using hyperlinks that point at the pairing server, and aform having a confirmation dialog that is submitted back to the pairingserver, and wherein a global unique identifier is masked through thepairing server when the confirmation dialog is served from the pairingserver.